Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
More…
Facebook
Twitter
Digg
PrintJune 2005
After 9/11, Enron, Ahold, WorldCom and Parmalat, governments all over the world have enacted new laws concerning corporate governance, financial and reporting practices, data protection and privacy, consumer protection, preventing terrorism, and more. The resulting security, data backup, and electronic documentation requirements have spawned a need for new kinds of IT systems with auditing, monitoring, and reporting capabilities that affect companies of all sizes. This paper addresses these implications and the resulting compliance challenges.
The list of new regulations is impressive. Most direct the actions of large, publicly-held companies but not all of these regulations are reserved for large corporations.
Yes, This Means You
Several regulations directly affect smaller businesses in certain industry sectors, but plenty of others -- especially those with ambitions to grow and be acquired or go public -- will still feel the impact.
For these businesses, developing adequate corporate governance processes and structures prepares them for the future -- a future in which, according to researcher International Data Corp., the vast majority of businesses will need information management compliance solutions to help with the likes of electronic discovery of documents and realtime analysis of IT systems.3-1
Are Your Business Practices Legal?
Consider these examples of violations of EU/UK data protection rules:
- Via a third-party marketing firm, a respected Irish charity disclosed donor information to a bank and received in return a donation for each donor who responded to the bank's sales effort, even though the charity's donors had not agreed to this use of their information.
- A car rental agency charged alleged damage to a customer's credit card -- but the customer had not used his credit card to rent the car and the agency misused credit card data from an earlier transaction, data that should have been destroyed.
The Long Arm of the Law: Does This Mean Today?
Even those with more modest growth plans may face immediate compliance requirements: HIPAA (the Health Information Portability and Accountability Act) demands that all U.S. healthcare providers, large and small, must not only protect the privacy of patient data but also be able to prove they've done so. The price of noncompliance is exposure to liability issues as well as civil and criminal penalties. Similarly, the UK's recently revised Electronic Commerce Regulations impose new information requirements on small businesses as well as large companies engaged in e-commerce.
Various U.S. Securities & Exchange Commission (SEC) regulations require compliance from small brokerage houses and financial services firms, while small banks and even certified public accountants (CPAs) must deal with the Gramm-Leach-Bliley Act (GLBA) and related antimoney- laundering regulations. The U.S. Patriot Act, meanwhile, impacts both large and small trading and financial services companies including check-cashing businesses, that includes new rules aimed at preventing terrorism and money-laundering by requiring businesses to be able to identify customers and activities that might be suspicious.
And the Sarbanes-Oxley Act in the United States (SOX) -- requiring, among other things, that a business's relevant financial reports be certified by both the CEO and CFO -- affects both small publicly-held and privately-owned companies not just based in the U.S. but all over the world.
In one study of the effects of Sarbanes-Oxley on private companies (which are not required to comply with the law), 87% of those queried indicated that SOX had impacted their firm, and 78% had voluntarily imposed reforms on themselves, mainly because their boards of directors, auditors, customers, lenders, or insurance providers have insisted on it. 3-2
While there is not yet a European Union equivalent to Sarbanes-Oxley -- the much heralded "eighth directive" is in fact focused only on auditors -- individual EU nations have generated corporate governance regulations that are similar to SOX. Notable among these are:
- France's Loi sur la securitie financiere (LSF), in force since 2003, requires companies to document all their main business processes, and
- Germany's Data Access and Digital Signature Authentication Law (GDPdU), empowers tax officials to instantly access company financial documents.
Still more regulations may apply, depending on the kind of business you're in. Makers of pharmaceuticals and other kinds of manufacturers, for instance, are subject to environmental laws. Those transporting goods must now contend with U.S. Department of Homeland Security regulations.
Then there are internal and supplier-related compliance issues, such as Wal-Mart, Proctor & Gamble, and the U.S. Department of Defense requiring their suppliers' use of electronic product-coded radio frequency identification tags.
The Bottom Line:
Increasingly, staying in business means staying compliant with new laws and standards that are raising the bar on all business behavior. And to stay compliant, all businesses must adopt basic security, data backup, and records management practices and technologies.
