5 Tips to Ensure Corporate Email Compliance
A competent technical manager knows that his company needs to adhere to email compliance laws and regulations. Compliance however, is not easy! There is literally an alphabet soup of laws and regulations – the SOX, HIPAA, GLB and others.
In this post I offer five tips that you can use to avoid all of the common pitfalls that every technical manager, CTO or CIO has to deal with.
1. Understand Compliance
You need to understand the compliance laws that affect your country or state. The two major laws are the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Email regulations also exist in the Gramm-Leach-Bliley Act (GLB), Securities and Exchange Commission laws (SEC 17a) and the National Association of Securities Dealers (NASD 3010).
You should find out which laws apply to your industry. The medical and financial sectors tend to have more laws and compliance is very rigorous. In the e-commerce markets, laws tend to change very quickly and country boundaries are blurred, adding to the challenges.
Breaking the regulations can involve imprisonment in some cases, or very large fines in others, giving companies no choice than to strictly adhere to whatever compliancy laws are put into place.
The major requirements of all compliancy are email retention (email stored for a period of time), and email extraction (email can be pulled from the archive upon request).
2. Have a good Company Policy
A company policy sets down the rules that govern the organization. A good company ensures that its employees are trained in the areas that affect them. This improves their performance and helps them understand their responsibilities.
Policy sections that deal with emails and messaging should include information on which parts other relevant laws are being applied in the organization. Users should know which devices and are allowed and which ones are forbidden, and they should be told what kind of personal information is being retained.
3. Personal email accounts
It is very common these days for employees to have at least two accounts; their corporate account, and their personal account. These accounts could pose a threat to your organization. It is vital that all communication that is related to the organization is only expressed over the company’s approved email accounts because these are the ones covered by the policy.
There is an increasing trend for employees to use their corporate email accounts from their personal mobile devices. In this case you need to ensure compliance of how the device is configured and used.
4. Tools and Services for Compliancy
There is a lot of software as well as services out there that should be used to satisfy the technical requirements for compliance. When selecting email technologies and tools it is important to see which laws and regulations they cover, and whether they cover them adequately. Good email archiving software should conform too many of the email compliance standards, but in some particular situations not all packages will suit your needs, so make sure you read the software specifications before you buy.
Regulation compliance is also being offered as a service where your email traffic is archived in the cloud. When choosing these services, be diligent to where your data is hosted and the amount of control you have over it.
5. Continuous Compliance
Email compliance is a moving target. It is not enough to set it up once and forget about it. You need to continuously monitor and upgrade your email systems. Each time there is a change, compliance can be affected. New employees also need to be trained on company policies, and when policies change, existing staff need to know about the changes. Remain up to date on the latest trends in technology and keep an eye out for new trends that can affect your state of compliance.
Having a firm yet flexible compliance policy is very important. Think about all the companies who struggle with security because they don’t keep up to date with new threats, but likewise, you need to be mindful of new permissions. As email continues to deliver more and becomes somehow more integral to everyday life, it’s important to know what it needs to used for in the workplace, what’s unnecessarily risky, and to find that happy medium not just once, but as new situations and threats develop and occur.
My understanding is that corporate email accounts are those used and maintained by big and multinational corporations, and that they are the ones covered by these email compliance laws and regulations. Am I right? Can you confirm this?
I work in a small-sized enterprise, with less than 50 employees. I’m not sure if we have email compliance in place. Is this necessary even if my company only has several email accounts? Our business mostly caters to local clients.
I’m not even familiar with SOX, HIPAA, and GLB.
I would add to the top of the list – keep your knowledge current. Take the time to follow the changes in legislation because if you fail to do so, all the other measures become obsolete. If you are lucky to be in an industry where change in legislation is infrequent, then you don’t have that much to do but in all other cases, the mountain of bills and acts to read is a huge one.
Having a good email company policy should be every organization’s top concern. This will not only ensure compliance to national and international standards, it will also get rid of common spams, harmful messages, leaky emails, phising attacks, and other forms of malware sabotage.
Moreover, an excellent, practical, and efficient company policy can be easily implemented from the management level down to the bottom.
Take control of personal email accounts and you’ll take care of the four remaining tips mentioned above. Personal email accounts are the headache of most email admins in a corporate environment. I know this because I once worked as an email manager for a large company based in California, which has more than 300 accounts.
Although, it’s a very tiring job, at the end of the day, you feel rewarded and fulfilled because you know you’ve contributed to the company’s growth.
Also, managing corporate email accounts is a top-level concern for any enterprise and it’s synonymous with business compliance.