In an era of diminishing trust and public skepticism, regulations are being enforced with greater vigor to enable regulatory authorities to accurately reconstruct past processes and events from electronic records. These sweeping initiatives are being targeted throughout the economy, with some regulations focusing on securities, broker-dealers, pharmaceutical companies, healthcare organizations, major manufacturers and public corporations with more than $75 million in market capitalization.
Legislation now requires many of these U.S. organizations to retain certain records in a way that prevents them from being erased or modified for substantial time periods, sometimes 30 years or more. Steps must also be taken to prevent records from being accessed by those without authorization. Some of these regulations, like those based on the Sarbanes-Oxley law, are new. Others, such as SEC regulations applying to broker-dealers, have existed in one form or another since the 1930s. However, the common themes are broader regulatory purview over more types of records and substantially strengthened enforcement. The main thrust behind strengthened records-retention regulations is the government's desire to maintain an exact record of past activities in order to improve corporate governance, protect investors, enhance national security, ensure the safety of new drugs or medical devices, and modernize medical care, while protecting patient privacy. As a result of some widely publicized Wall Street scandals, the SEC is now enforcing its Rule 17a--originally written in the 1930s--much more aggressively. The use of electronic communication in business has exploded, and brokerage houses are now heavily reliant on e-mail, instant messaging and electronic forms (tickets, statements, approvals, etc.) than before. The SEC now requires the retention of all electronic client communications and many other brokerage records on non-erasable, non-rewritable media (also known as write-once/read-many or "WORM" media). Additionally, the SEC is demanding increasingly rapid responses to more frequent and broader requests for information. A recent enforcement example of the new regulatory reality for broker/dealers is the $8.25 million fine levied on five Wall Street firms in December 2002 for failure to retain regulated e-mails for the proper amount of time. Other firms have been fined or forced to pay large fees because they were unable to find and recover archived e-mails from tapes in a timely fashion.
Healthcare
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), whose privacy rules came into effect April 14, 2003 (with more rules to follow), is designed to improve the efficiency of healthcare through improved access to patient records while simultaneously protecting patient privacy. The government's position is that the quality of medical care can be improved through rapid online access to patient records, but that strong protections must be in place to guard against malfeasance and misuse of confidential patient data. While HIPAA does not mandate how data is stored, the requirements are effectively forcing healthcare payer/providers (hospitals, insurance companies and HMOs) to manage all patient records electronically using secure systems and secure media.
Life Sciences and Pharmaceutical Industries
Federal regulation 21 CFR Part 11 is designed to streamline the process that brings drugs to market, a major interest of the Bush administration. The goal is a well-designed, well-managed flow of information about drug development, testing and batch manufacturing so that the accelerated path from discovery to market will be simultaneously fast and safe--not to mention well-documented. Rigorous records retention is essential to both verify each drug has been thoroughly tested before approval and to ensure a proper investigation should something go wrong with a drug. Since most pharmaceutical companies also maintain clinical trials data, they must also carefully guard the privacy of such data for HIPAA compliance. Enforcement of 21CFR Part 11 has been temporarily suspended because drug companies objected that it was applied too broadly and that compliance was too unwieldy. The government is now recasting the regulation to make it more specific, but it's clear that the regulation will still require careful retention and safeguarding of records for many years.
Corporate Financial Statements
Congress passed the Sarbanes-Oxley Act in response to a series of major corporate financial scandals where C-level executives claimed that they were not accountable for--or even not aware of--faulty financial statements. The new legislation, which affects U.S. public companies with more than $75 million in equity market capitalization and quarterly reporting requirements to the SEC, specifies that CEOs and CFOs must personally certify financial statements as accurate, under penalty of jail time. Additionally, "all audit or review workpapers" must be retained for five years from the end of the corresponding fiscal period. Sarbanes-Oxley specifies significant criminal penalties for "whoever knowingly alters, destroy, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object." Although open to interpretation, such wording implies great care as to how records associated with the production of financial statements are archived.
No comments:
Post a Comment