From the late 1990s, numerous new regulations have been introduced in both the United States and Europe, often in the wake of corporate scandals where unethical business practices fell foul of existing financial reporting and disclosure rules. The backlash from these high profile episodes prompted newer corporate compliance legislation, such as Basel II in Europe and Sarbanes-Oxley in the United States. This is now being implemented alongside the likes of the EU Data Protection Directives and the Privacy & Electronic Communications Regulation, to ensure that companies put and keep their houses in order.
In general, the relationship between email and the law is a patchy one, with a mismatch of old and new law dealing with old and new issues. There is no single law relating directly to the use of email, and yet it is touched by several pieces of legislation intended to balance the interests of privacy and human rights with protecting corporate investment and security.
For example, in the UK, the 7th Principle of the Data Protection Act requires that businesses take ‘appropriate measures to prevent the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ Although somewhat ambiguous in its definition, it essentially means that companies must protect all electronic communications containing customer data, including all emails sent and received.
It is not just customer information that must be considered. In order to be compliant with the regulations, businesses must take appropriate measures to mitigate the risk of disclosing valuable or sensitive organisational data. Unauthorised access to or distribution of financial forecasts, intellectual property or any other company-sensitive information can not only contravene legislation but may also do substantial damage to an organisation’s credibility, reputation and future competitiveness. It is also worth remembering that contracts are often inadvertently created via email – without either party realising it.
There has been a tendency for some companies to dismiss regulatory compliance as something that they don’t really need to worry about, and it’s only other businesses that need to worry. Consider then what would happen if a legal disclosure order sought access to all email sent between Mr A and Ms B over a six month. Or if as part of an investigation all emails sent by finance and HR over the past two years had to be retrieved. Unless the organisation in question has efficient email back up, search and retrieval, this is likely to be a lengthy and costly process, and failure to provide the information could have serious repercussions.
It is easy to concentrate on the seemingly negative implications of ensuring compliance – it is expensive, complicated and time consuming. However, not enough attention is given to the benefits of being compliant. Investors pay a premium for shares in companies that can demonstrate they are well governed; in the UK and US this is estimated to be around 15-20% extra on capital value. In addition, businesses that can prove they are well managed tend to attract high calibre employees and customers. So quite apart from avoiding the long arm of the law and damage to brand and reputation, exercising good governance practice has some other major advantages.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.