1 / 19

Overview

Overview. Compliance – electronic record retention Significant regulations The compliance lifecycle Industry response. Information has fundamentally shifted from paper to electronic media

lineberger
Télécharger la présentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview • Compliance – electronic record retention • Significant regulations • The compliance lifecycle • Industry response

  2. Information has fundamentally shifted from paper to electronic media Laws that once governed paper records are adapting to address electronic transactions and electronic media Companies are compelled by both regulations and legislation to retain data Compliance regulations continue to expand the scope of regulated data types and the length of retention periods No one is exempt Compliance

  3. 17a-4 and NASD 3010 Retention Regulations Growing • Over 15,000 federal and state regulations in the US alone • Thousands more worldwide • Health Insurance Portability and Accountability Act (HIPAA) 21 CFR Part 11 5015.2

  4. Sarbanes Oxley Overview • Scope • All U.S. public companies and public accounting firms regardless of size • Foreign accounting firms, including those that perform audit work for foreign subsidiaries of U.S. companies • Motivation • New law passed to strengthen regulation of public companies • Corporate Scandals: Enron, Anderson, WorldCom, et al. • Effective date • President Bush signed it into law on July 30, 2002; it has a staggered implementation schedule • Retention • Requires all audit or review workpapers relevant to the audit or review to be kept for 7 years after the audit or review is complete

  5. Sarbanes Oxley: Penalties • Imposes fines and prison sentences of up to 20 years for anyone who “knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes false entry in any record, document or tangible object with the intent to impede, obstruct or influence the investigation or proper administration of any department or agency of the United States;” • “Under the Sarbanes-Oxley Act, the government can bring charges of obstruction of justice if a company destroys potentially relevant records before a subpoena is issued.” Previous laws required a pending or imminent proceeding with a subpoena issued to show presumed intent to obstruct. – ARMA RIM Imperative FAQ

  6. SEC Regulations: 17a-3 and 17a-4 • Enacted by the SEC in 1997, allows brokers in the securities industry to store records electronically • 17a-3: Requirement to make the records • 17a-4: Requirement to keep the records (retention, WORM non-rewriteable storage, and ease of retrieval) • Regulations require: • Written and enforceable retention policies • Storage of data on indelible, non-rewriteable media • Searchable index of all stored data • Readily retrievable and viewable data • Storage of data offsite

  7. SEC Regulations: 17ad-6 and 17ad-7 • Transfer Agents: Keep shareholder records, issue new certificates, distribute proxies, dividends and annual reports, and forward company correspondence to shareholders. • Allows transfer agents to use electronic media to maintain their records • Requirements • Use storage mechanisms that are designed to ensure the accessibility, security, and integrity of the records • Detect attempts to alter or remove the records • Provide means to recover altered, damaged, or lost records

  8. NASD 3010 & 3110 • National Association of Securities Dealers Inc. (NASD) • Established to govern the behavior of security firms • Rule 3010: Supervision • Each firm must “supervise” their representatives activity, including monitoring incoming and outgoing email • Expanded to instant messages • Rule 3110: Retention of Correspondence • Each member shall retain correspondence of registered representatives relating to its investment banking or securities business • Requirements pertaining to record keeping formats, mediums, and retention periods comply with SEC Rule 17a-4

  9. Financial Services: Recent Fines

  10. Food & Drug Admin: 21 CFR Part 11 • Issued in 1997 • Scope • Food processors and bioscience companies engaged in research and manufacturing • Motivation • Protection of public health • Establishes standards for electronic information and signatures to replace hard copies for all manufacturers regulated by the FDA

  11. Food & Drug Admin: 21 CFR Part 11 • Requires that “copies” of all records are kept “in common portable formats” and “must preserve the original content and meaning of the records” • Requires the protection of records to enable their accurate and ready retrieval through the retention period • Record Retention Periods: • Food (Manufacturing, Processing, Packing) – 2 Years After Release • Drugs (Manufacturing, Processing, Packing) – 3 Years After Distribution • Bio Products (Manufacturing, Processing, Packing) – 5 Years After End of Manufacturing • In June 2002, Schering-Plough paid $500 million to the FDA and US Treasury related to compliance violations

  12. Health Insurance Portability and Accountability Act • Sets national standards for the healthcare industry • Addresses the security, privacy and retention of electronic medical-related data, with regard to its use, storage, and exchange • Section 1173(d)(2) • Administrative, physical, and technical safeguards must be maintained to ensure the integrity of this medical-related data • “Data Authentication” - ensuring that data is not altered, destroyed or inappropriately processed • Medical records must be retained at least 6 years, and at least 2 years after the death of a patient • Penalties for noncompliance up to $250,000 and 10 years in prison

  13. IRS Revenue Procedure 97-22 • Guidelines for record retention and storage recommendations for any and all taxpayers • Tax related documents must be retained for as long as they are subject to audit by the IRS under section 1.6001- 1(e) • The storage system must: • Ensure the integrity, accuracy, and reliability, and • Prevent alteration of, deletion of, or deterioration of such records • Penalties: • The District Director may issue a Notice of Inadequate Records pursuant to section 1.6001-1(d) if the taxpayer's electronic storage system fails to meet the requirements of this revenue procedure. • May also be subject to applicable penalties under subtitle F of the Code, including the section 6662(a) accuracy-related civil penalty and the section 7203willful failure criminal penalty

  14. Retention Periods Summary

  15. Technology Outpaces Law Too Little No Solutions Too Expensive Enforcement Actions Court Rulings Tradeoff Public Interest Industry Concerns Law Outpaces Technology Enforcement Divisions Explain Intent Industry Associations Competitive Compliance Compliance Regulation Lifecycle Proposed Regulation Enforcement Comment Guidance Law Interpretation

  16. Current Technologies Fall Short of Records Retention Requirements • Application and data format obsolescence • Storage technology management • Media obsolescence and degradation • Multiple storage technologies separately managed • Data organization, interpretation, and retrieval • Enough context around the archived information has to be preserved to allow it to be found 15 years in the future • Archive silos • Information organization, retrieval, or reporting across applications is challenging • Security • Access control, authentication • Electronic signatures • Audit trails

  17. FDA 21 CFR Part 11 Revisited

  18. FDA 21 CFR Part 11 Lifecycle • FDA recognized the growing use of electronic systems and records in research, clinical trials, communication systems… • FDA promulgates electronic records management regulations in 1997 • Requirements that exceeded then available solutions • Industry could not comply • Individual companies focused on competitive compliance • FDA Enforcement Division issues guidance that only certain sections will be enforced • Vendors gradually introduce systems to enable compliance • FDA Enforcement Division continues to issue guidance annually expanding the scope of regulation sections that will be enforced

  19. Summary • Electronic records management legislation impact is broad • Across many industry verticals • Increasing scope of records and increasingly long retention periods • It will only get worse if you are regulated and better if you are supplying • Regulations are catalyzing a new market now • Traditional backup/archiving is insufficient • Compliance market will outpace overall storage market • Compound growth as a function of annual growth of underlying data and retention periods • Scope of data archives expanding: e-mail and instant messages • Competition is intensifying • Startups: KVS, Zantaz • Storage hardware and software vendors: EMC, VRTS • Records archiving: Iron Mountain • Document Management: FileNet, Interwoven, Hummingbird

More Related