| < Day Day Up > |
|
Congress has taken an active role in passing laws and regulations governing the means that business will employ to preserve and protect their assets. In light of these laws, it is important to know exactly who is going to be held legally accountable: senior managers. Of course by law, custom, and practice, they are the persons responsible for protecting business assets from damage and destruction. And when inquiries are made, senior managers are held responsible for the successful operation of their organization.
Laws and regulations have been enacted affecting the protection of company assets and it is senior management's responsibility to know them. You cannot hide behind ignorance because it is your responsibility to know how they affect your organization. Exhibit 1 is a small sample of the laws currently affecting the way businesses must protect their assets.
Exhibit 1: Laws Affecting Industries
Regulation | Organization | Information |
---|---|---|
Foreign Corrupt Practices Act (1997) | Industrywide | Accountability for record keeping |
IRS Procedure 86-19 | Industrywide | Requirements for computer-related tax records |
Accreditation Manual for Hospitals (1994) | Healthcare | Guidelines for information management |
Gramm-Leach-Bliley Act (15 USC 6801) | Financial institutions | Protection of personal financial information |
Office of Foreign Asset Control (OFAC) | Financial and money service institutions | Prohibition of doing financial business with specified persons, nations, and businesses |
Health Insurance Portability and Accountability Act of 1996 (HIPAA; 45 CFR 164) | All industries associated with healthcare services | Protection of personal healthcare records |
Exhibit 1 represents only a very small portion of the laws and regulations requiring organizations to preserve their data assets. It is not enough that a company has exercised sound business practices; it has to comply with the law or it can be found noncompliant and face the legal consequences. Penalties for failing to comply with laws and regulations can vary greatly. In the case of failing to preserve the confidentiality of personal financial records, the injured party can sue the offending financial institution. In other cases, it is a criminal act to disclose financial or healthcare information for profit without the data owner's informed consent.
As a logical legal extension, senior managers responsible for instituting and maintaining data protection likely will be held personally liable through civil and criminal actions. Legal mandates must be integrated into your critical incident management process. Compliance with current legislation is an area to be carefully discussed with your legal counsel and auditing departments. In today's litigious society, you can bet that failure to comply will result in offended parties seeking their pound of legal flesh.
| < Day Day Up > |
|