Topic Last Modified: 2005-04-27
Because of new regulations, many organizations in the financial services, insurance, and healthcare industries must maintain records of communication that occur when employees perform daily business tasks.
Although journaling may not be required by a specific regulation, the terms of a regulation may force journaling as one way to comply. For example, corporate officers in some financial sectors are responsible for the claims made by their employees to their customers. To verify that the claims are accurate, the officer may set up a system where managers review some part of employee-to-client communications regularly. Every quarter, the managers, after verifying compliancy, approve their employees' conduct. After all managers report approval to the corporate officer, the corporate officer reports compliancy, on behalf of the company, to the regulating body. In this example, e-mail might be one of the employee-to-client communications that managers must review; therefore, all e-mail sent by client-facing employees is journalized. Other client communication mechanisms may include faxes and telephone conversations, which also must be recorded. Therefore, the ability to journal all classes of data in an enterprise is an important piece of the IT architecture.
The following is a list of some of the more well-known U.S. regulations with requirements that may rely on journaling technology. For more information about these regulations, see Supporting Regulatory Compliance with Exchange Server 2003.
SEC Rule 17A-4
NASD 3110 and 3111
Gramm-Leach-Bliley Act (Financial Institution Privacy Protection Act of 2001, Financial Institution Privacy Protection Act of 2003)
Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act)