Industry & Regulatory Guidelines
At CellTrust, we understand that BYOD can be a challenge to implement at any organization, but particularly those in highly regulated industries. And because CellTrust works with so many different organizations, our experts can show firms where they should be with BYOD voice and text security protocols and policies—in addition to understanding the latest rules and regulations impacting mobile communications.
Don’t wait for a security breach or compliance fine. Protect and transform your enterprise through compliant BYOD for text and voice communications.
Financial Services
E.U. Markets in Financial Instruments Directive (MiFID) II
Investment Industry Regulatory Organization of Canada (IIROC) 29.7
U.K. Financial Conduct Authority (FCA)
U.S. Dodd-Frank Wall Street Reform & Consumer Protection Act
U.S. Dodd-Frank Wall Street Reform & Consumer Protection Act
Dodd-Frank is a massive piece of financial reform legislation passed in 2010 in response to the financial crisis of 2008. The Act’s numerous provisions are intended to decrease various risks in the U.S. financial system by protecting investors from unfair, improper and fraudulent practices—and foster fair and efficient capital markets and confidence in capital markets.
U.S. FINRA
Financial services must satisfy certain obligations with regard to text message monitoring, retention and the protection of content. In FINRA Regulatory Notice 07-59 (December 2007), FINRA provided guidance regarding the review and supervision of electronic communications. For purposes of the FINRA guidance, electronic communications, email and electronic correspondence made be used interchangeably and can include such forms of electronic communications as instant messaging and text messaging.
- Rule 2010: Governs broker dealers’ communications with the public including communications with retail and institutional investors
- Rule 3010: Requires the supervision and retention of records
- Rule 3120: Provides guidance on establishing, maintaining and enforcing a system of supervisory control policies and procedures
- Regulatory Notice 07-59: Provides guidance for the review and supervision of electronic communications
- Regulatory Notice 10-59: Requires the encryption of content on portable media devices
- Regulatory Notice 11-39: Provides guidance on the use of personally owned devices that contain or access corporate information
U.S. Gramm-Leach-Bliley Act (GLBA)
The GLBA protects the rights of individuals in regards to their personal financial information and regulates organizations in the following services: financial services, insurance, tax preparation, banking, consumer credit reporting and brokering. Violations of the Act can result in significant fines plus possible jail time.
Key points of the GLBA include:
- Secure the confidentiality of all customer records and information
- Provide access to all customer records to prevent harm or inconvenience to any customer
- Storage of this information must be extremely secure by strong access controls and secure passwords
- Communication through emails must be kept secure and encrypted
- Sensitive customer information must be protected in case of physical disaster or technological failure
Investment Industry Regulatory Organization of Canada (IIROC) 29.7
IIROC 29.7 requires all client correspondence and related documents, including all forms of electronic communications, must be retained for five years from the date of creation. Additionally, all sales literature and related documents must be retained for two years from the date of creation. Archived sales literature and correspondence must be readily available for inspection by the Association at all times.
E.U. Markets in Financial Instruments Directive (MiFID) II
In October 2011, the European Commission proposed to revise the MiFID II with the aim of making financial markets more efficient, resilient and transparent, and to strengthen the protection of investors.
Key points of MiFID II include:
- January 2014, an agreement in principle was reached by the European Parliament and the Council on updated rules for MiFID II
- February 2016, the European Commission proposed a one year extension of the MiFID II implementation date from January 2017 to January 2018
- The twelve-month delay was proposed due to the exceptional technical implementation challenges faced by regulators and market participants
U.S. Sarbanes-Oxley (SOX) Act
Signed into law July 2002, SOX was designed with the goal of implementing accounting and disclosure requirements that:
- Increase transparency in corporate governance and financial reporting
- Formalize a system of internal checks and balances
SOX is applicable to:
- Publicly held American companies
- Any international companies that have registered equity or debt securities with the U.S. Securities and Exchange Commission (SEC)
- Any accounting firm or other third party that provides financial services to either of the above
Formal penalties for non-compliance:
- Can include fines, removal from listings on public stock exchanges and invalidation of D&O insurance policies
- Under the Act, CEOs and CFOs who willfully submit an incorrect certification to a SOX compliance audit can face fines of $5 million and up to 20 years in jail
U.S. Transparency in Government Laws “Sunshine Laws”
Through sunshine laws, administrative agencies are required to do their work in public, and as a result, the process is sometimes called “government in the sunshine.” The laws are meant to ensure that government agencies sanction the attendance of public representatives and the media organizations in all meetings so that the information of the proceedings of the meetings can be channeled to the public in an efficient and timely manner. As such, sunshine laws emphasize transparency and accountability in different functions of government departments and agencies.
Sunshine laws differ from state to state, and different states frequently amend their sunshine laws to suit state specific regulatory requirements. Therefore, there exist variations in the way in which the virtues of public information access are implemented by different government agencies and different state governments in the U.S. Variations are particularly imminent in state definitions of public institutions that are subjected to the provisions of open meetings and penalties for non-compliance to the provisions.
U.S. Health Insurance Portability & Accountability Act (HIPAA)
HIPAA, Public Law 104-191, was enacted on August 21, 1996. While HIPAA is best known for the Privacy Rule, which applies to individual health care information in all forms, whether oral, paper or electronic, HIPAA also includes the Security Rule, which applies when health care information is electronic. Whereas the Privacy Rule defines the circumstances in which individual health care information may be disclosed, the Security Rule defines the requirements for making such disclosures in electronic form.
Even if a disclosure is permissible under the Privacy Rule—for example, when authorized by a patient or when necessary to protect public health—any disclosure that is electronic must be made in a manner that complies with the Security Rule. Electronic PHI is PHI that is “transmitted by electronic media” or “maintained in electronic media.” Electronic media include “electronic storage media” and “transmission media used to exchange information already in electronic storage media.” A text message arguably is within the definition of electronic media because it involves data that exist in electronic form prior to transmission.
U.S. Federal Rules of Civil Procedure (FRCP)
The FRCP set forth the rules of discovery and disclosure for litigation that any company dealing with frequent cases must abide by. The non-compliance of these rules can lead to the dismissal or loss of a case as well as severe fines and disbarment of any employee involved. This was amended December 2006, to include discovery pertaining to electronic records search and retention in regards to eDiscovery, establishing that electronic information is discoverable evidence.
U.K. Financial Conduct Authority (FCA)
The FCA is a regulatory body in the United Kingdom, formed as one of the successors to the Financial Services Authority (FSA). The FCA regulates financial firms providing services to consumers and maintains the integrity of the UK’s financial markets.
11.8.5 R: A firm must take reasonable steps to record relevant telephone conversations, and keep a copy of relevant electronic communications, made with, sent from or received on equipment:
- Provided by the firm to an employee or contractor, or
- The use of which by an employee or contractor has been sanctioned or permitted by the firm
U.K. FSA Conduct of Business Rules
Rule 5.54 & Appendix 18: Requires firms to ensure that sufficient information is recorded and retained about its regulated business and compliance with the regulatory systems. Appendix 18 summarizes the record keeping requirements for customer orders, requiring a continuous audit trail for customer dealings.
U.S. Securities & Exchange Commission (SEC)
The SEC Act requires that records be kept for the purposes of reviewing and auditing of securities transactions. In 1997, the SEC amended the primary rule 17a-4 to let broker-dealers store records, including email and instant messages electronically.
- SEC Rule 17a-3: Requires the production of such records
- SEC Rule 17a-4: Requires the retention of these records and to comply must retain all copies of communications (emails, memos, text, instant messages, etc.) for a minimum of three years; for the first two years, the location of these records must be easily accessible
U.S. Health Information Technology for Economic and Clinical Health (HITECH) Act
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law February 2009, to promote the adoption and meaningful use of health information technology. Subtitle D addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
- Sec. 13401: Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions
- Sec. 13402: Notification in the case of breach
- Sec. 13403: Education on health information privacy
- Sec. 13404: Application of privacy provisions and penalties to business associates of covered entities
- Sec. 13405: Restrictions on certain disclosures and sale of health information; accounting of certain health information disclosures; access to certain information in electronic format
U.S. FREEDOM OF INFORMATION ACT (FOIA)
Since 1967, the Freedom of Information Act (FOIA) has provided the public the right to request access to records from any federal agency. It is often described as the law that keeps citizens in the know about their government. The FOIA applies only to federal agencies and does not create a right of access to records held by Congress, the courts, or by state of local government agencies. Federal agencies are required to disclose any information requested under the FOIA unless it falls under one of nine exemptions which protect interests such as personal privacy, national security, and law enforcement.
The nine exemption categories that authorize government agencies to withhold information are:
- Classified information for national defense or foreign policy
- Internal personnel rules and practices
- Information that is exempt under other laws
- Trade secrets and confidential business information
- Inter-agency or intra-agency memoranda or letters that are protected by legal privileges
- Personnel and medical files
- Law enforcement records or information
- Information concerning bank supervision
- Geological and geophysical information