The Big 5 Compliance Laws

Updated: April 30, 2009

As the government places an increasing number of compliance requirements on businesses, IT departments are struggling to keep pace with the increased workload. A study conducted in 2006 by technology research firm Gartner Inc. estimated that 10 to 15 percent of that year's corporate IT budgets would be spent on financial compliance management. According to Gartner Inc., professional services focused on consulting, audits, process management/workflow, documentation and planning are responsible for most compliance expenses.

Here's a look at the five big laws that are driving regulatory compliance and the burdens they place on IT departments:

The Sarbanes-Oxley Act of 2002
Enacted in response to a series of high-profile financial scandals, the Sarbanes-Oxley Act (SOX) is designed to protect shareholders and the general public from enterprise accounting errors and fraudulent practices. The act is administered by the SEC (Securities and Exchange Commission), which sets deadlines for compliance and publishes rules on requirements. Sarbanes-Oxley is not a set of business practices and does not specify how a business should store records. Instead, it defines which records are to be stored and for how long. Sarbanes-Oxley is all about ensuring that internal controls or rules are in place to govern the creation and documentation of information in financial statements. Since IT systems are used to generate, change, house and transport that data, IT departments have to build the controls that ensure that SOX information stands up to audit scrutiny.

The Health Insurance Portability and Accountability Act of 1996
Created to establish standardized mechanisms for EDI (electronic data interchange), security and confidentiality of all health care-related data, the Health Insurance Portability and Accountability Act (HIPAA) features two distinct sections. HIPAA Title I deals with protecting health insurance coverage for people who lose or change jobs. HIPAA Title II includes an administrative simplification section that concerns the standardization of health care-related information systems. To organize and protect medical records, IT departments need to invest in and operate an array of technologies, including EMR (electronic medical record) solutions, firewalls, remote monitoring systems, intrusion-detection technologies, auditing software and encryption programs.

The "Do Not Call" List
A registry of U.S. phone numbers that telemarketers are prohibited from calling under most circumstances, the "Do Not Call" list is maintained by the FTC (Federal Trade Commission). Consumers can contact the agency to have their numbers registered. Organizations are prohibited from making calls to sell goods or services to any numbers consumers list with the National Do Not Call Registry. Violators are subject to substantial fines if they fail to comply. IT departments need to install software and policy safeguards that ensure outbound call centers don't violate the law's provisions by contacting individuals on the "Do Not Call" list who have no direct business contact with the organization.

The "Can-Spam Act" of 2003
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, informally known as "The Can-Spam Act," allows courts to set damages of up to $2 million when spammers break the law. Federal district courts are allowed to send spammers to jail and/or impose triple damages if the violation is found to be willful. IT departments need to install software and policy safeguards that ensure that bulk emails don't violate the law's provisions.

The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act (GLB Act), also known as the Financial Modernization Act, is a federal law designed to control the ways financial institutions deal with consumers' private information. As with other privacy-related mandates, affected IT departments need to spend heavily on data-protection technologies.

Enterprises and their IT departments should look for compliance solutions that simultaneously satisfy multiple regulations covering several business units. At the same time, IT managers and their bosses should adhere to a sensible strategy when deciding on a solution and not rely on a stopgap measure to comply with a single regulatory act. Organizations that choose one-off solutions for each regulatory challenge could spend up to 10 times more on IT compliance solutions than counterparts that take a sustainable programmatic approach.

Related Categories

Featured Research

SolarWinds MSP; Digimite Technology

more
Five Cyberthreats that Slip Past Traditional Antivirus

more
The Art of Organizing and Simplifying IT Support

Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
2020 Wheelhouse Buyer’s Guide to APIs

more
2020 Security Software Buyer’s Guide

more