Top Email Compliance Tips

The United States’ Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) as well as Sarbanes-Oxley (SOX) demand certain industries and publicly traded companies to comply with a framework of legislation relevant to email around the IT security pillars confidentiality, integrity, and availability. In addition to that there a number of state laws and specific regulations which apply to email verbatim or indirectly. Legislation demands include that electronic communication is handled with due care, archived, and sensitive data protected. On top of that does SOX request that email has identifiable senders and receivers. Similar laws encompassing email compliance also exist in Europe and elsewhere in the world. This article spells out who is responsible, and provides top email compliance tips, both from organizational as well as and technical point of view.

Email compliance is a management responsibility involving organizational, legal, and technical aspects. The tips in this section address management and organizational issues of email compliance:

• Take regulatory compliance seriously. Failure to comply with state or federal legislation in the United States can lead to drastic fines and criminal charges

• Assign email compliance duties to an individual (compliance officer) while ensuring management attention

• Build an interdisciplinary email compliance team including members from the IT department

• Seek specialized advice including legal in the area you are doing business. Consider a second opinion from a consultant

• Think about the use of specialized email compliance software with quick on-site support; if you organization is relatively small consider outsourcing, too. In any case make sure you have clear service level agreements in place which cover the need of your business and meet regulators' demands

• Implement and enforce email compliance policies using a framework of best practice such as Control Objectives for Information and related Technology (COBIT).

• Have your policies audited (monitoring and reporting)

Depending on the industry and the countries you are doing business applicable laws, regulations and frameworks of best practice can demand e-mail compliance in the form of

• User authentication in order to create and send emails

• Receiver identification, for instance trough corporate user authentication for reading emails

• Email signing (non-repudiation), for instance through Public Key Cryptography as found in PGP

• Electronic message encryption, also found in PGP Desktop and similar products

• Legal disclaimers in the email appendix

• Message filtering for outbound emails (sensitive data, company secrets)

• Automated secure email archiving preventing alterations and malware damage

• Fast retrieval of archived electronic messages

• Secure deletion of emails after the retention period

• Email logging and reporting

It is important that your organizations technical means of email compliance are scalable and ready to adapt to new regulations.

In recent years legislation has introduced an alphabet soup of new regulations affecting email, and it is likely that the financial crisis will even lead to more acronyms of government imposed rules on electronic messaging and communication. The management of an organization is responsible for ensuring that emails are handled in compliance with applicable laws, regulations and frameworks of best practice. Non-compliance not only can lead to fines and criminal prosecution but also ruin an organization’s reputation.

Author's own experience