There s a confusing stew of regulations and requirements that might force you to implement some degree of DCAR functionality. Which rules apply depend on what industry you re in, where you re located, whether your company is controversial , and so on. Worse yet, some of these requirements might conflict, which means that complying with them can be impossible without expert assistance. Table 17-1 lists some of the most important regulations for companies operating in the United States.
Regulation | Industry | Description | Key Point |
---|---|---|---|
Securities and Exchange Commission (SEC) Rule 17a-3 and 17a-4 | Financial services | SEC 17a-3 specifies the types of records the firm must create and manage, and how the records are distributed. SEC 17a-4 requires that electronic communications be retained and that a designated third party must have access to those records in place of the corporation. | Retention |
North American Securities Dealers (NASD) rules 3010 and 3110 | Financial companies | NASD rules define what level of supervision must occur when communications with clients and other parties is not prereviewed. In addition to the review itself, evidence ( reports ) of the review must be maintained . | Review |
Department of Defense (DoD) 5015.2-STD | Government | This is a records management application (RMA) test with rigorous requirements for systematic control of the creation, classification, maintenance, use, reproduction, and deletion of records. | Records management born out of paper and document management systems |
Sarbanes-Oxley Act of 2002 | Corporate and government | This act prescribes the rules for corporate governance, as described in a later section. Specifically, section 404 and 302 are important to IT processes. | Disclosure, internal controls, and reporting |
The Presidential Records Act | Executive branch government | Presidential records are to be sealed for not more than 12 years after a president leaves office. | Retention |
National Archives and Records Administration (NARA) | Federal government agencies | NARA is a government body that helps further define the way in which information is managed and shared. | Retention and disclosure |
Freedom of Information Act (FOIA) | Federal government agencies | The law requiring government agencies to make information freely available, as well as the process to obtain the information. | Retention and disclosure |
Food and Drug Administration (FDA) 21 CFR Part 11 | Pharmaceutical | Policy 21 CFR Part 11; Electronic Records states that business records that were created and maintained electronically must comply with all the same archival requirements as hard-copy documents (including audit trail, system security, system self-check, and so on). | Retention |
Regulation of Investigatory Powers Act 2000/Telecommunications Regulations 2000 | Telecommunications | CFR Title 47, Part 42, requires companies to keep records of all electronic communications with their customers (statements, exchange messages, and so on). | Retention and disclosure |
The Patriot Act | Corporate and ISP | Enforces broad investigatory rights to law enforcement. | Retention and disclosure |
HIPAA | Health care (payer/provider) | HIPAA rules ensure that medical records, including e-mail records, are better stored and organized for the benefit of patients . | Retention, deletion, and disclosure |