Laws Affecting United States Corporations and Industries in Silicon Valley and the entire Bay Area

The Sarbanes-Oxley Act of 2002 (SOX) carries a significant impact on a number of organizations across all industries and makes corporate executives explicitly responsible for establishing, evaluating, and monitoring the effectiveness of internal controls over financial reporting. While spreadsheets are the most broadly used financial application, password protection and file-level access controls do not satisfy the necessary security requirements. The act requires user authorization, protection of sensitive information from unauthorized access or modification during transmission or storage and monitoring of user actions.

Because this act holds a public company’s officers personally responsible for any misrepresentation, a corporate officer who knowingly authorizes a false financial report can be fined up to $1 million and sentenced to as many as 10 years in prison.

Meeting SOX compliance requirements is a pressing issue in many industries. Organizations implementing solutions that, among other things, prevent unauthorized access to documents and accurately track who is viewing financial records will succeed in taking one step closer to safeguarding vital information and keeping its own reputation in good standing with both the public and the government.

The Securities Exchange Act, which resulted in the formation of the Securities Exchange Commission (SEC), was passed by Congress in 1934 as an effort to prevent unfair practices in the securities industry. The act is a compilation of laws which, among other things, require brokerage firms, transfer agents, clearing agencies, and the nation’s securities self-regulatory organizations (SRO) to maintain records that are available for review in the event of an audit.

The Gramm-Leach-Bliley Act (GLB Act) applies to financial institutions, such as banks, securities firms, insurance companies, and other companies, which provide financial products and services to consumers. The GLB Act contains several provisions that explain how financial institutions must protect and handle personal financial information. More specifically, the Safeguards Rule, which also applies to companies such as credit reporting agencies that receive personal financial information from other financial institutions, requires all institutions enforce and maintain security measures that protect its customers’ personal financial information.

Part 210 “Current Good Manufacturing Practice (cGMP) in Manufacturing, Processing, Packing, or Holding of Drugs; General” and Part 211 “Current Good Manufacturing Practice for Finished Pharmaceuticals” define how pharmaceutical organizations should produce their products.

More specifically, Part 210 outlines the minimum cGMPs that must be followed to assure that drugs meet safety requirements, and meet the quality, ingredient, and purity claims.

A component of Part 211 refers to how records concerning manufacturing processes are kept and how long these records should be maintained. Consequently, pharmaceutical companies must follow cGMP’s and be able to provide documented proof for a specific period of time that cGMP’s were followed. In addition, these companies are under strict mandates to accurately report how items were manufactured and what ingredients were used to manufacture processes.

Companies who provide inaccurate reporting of this information risk noncompliance with the Federal Food, Drug, and Cosmetic Act, which specifically states that food and drugs cannot be adulterated or misbranded. Because strict penalties are placed on any organization that is found to be noncompliant, it is in an organization’s best interest not only to maintain accurate records, but also to take the steps necessary to prevent these records from being altered or tampered with in any way, shape, or form.

While the USA Patriot Act has many different components, Section 311 works to prevent money laundering and defines how financial institutions must maintain financial records, particularly when working with international transactions. As a result, these organizations require a secure system to archive these records so that information is protected, yet accessible for government review if necessary.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created by the United Stated Department of Health and Human Services (HHS) and outlines provisions that both encourage electronic transactions within the health industry, and require safeguards to ensure the security and confidentiality of patient health information. An additional component of HIPAA includes the Privacy Rule that outlines how individually identifiable health information can be used. For example, this information may be shared among doctors, nurses, and others who require this information to treat patients; however, without a patient's authorization, a health organization cannot share this information with a life insurer. As a result of the requirements of HIPAA, health insurers, pharmacies, doctors, and other healthcare providers require a secure system that ensures the protection of patient information. If a covered entity breeches the privacy rules set forth in HIPAA, that organization or responsible party could face significant fines and even jail time.

This federal law protects the privacy of student records and applies to educational institutes that receive funds from the United States Department of Education. According to this law, schools must maintain records, yet keep the information safeguarded from unauthorized access. Parent and students have access to these records, as do several other types of organizations (for example, a school to which the student may be transferring). As a result of these privacy rights and prohibitions, educational institutes require a solution that helps maintain a student's privacy by preventing unauthorized access into this information. For more information about the Family Educational Rights and Privacy Act, please visit: www.ed.gov/policy/gen/guid/fpco/ferpa/index.html.