Government Regulations

With TotalCompliance™ policies and regulations can be effectively managed from beginning to end. Effective compliance of policies and regulations requires lifetime document management, automated distribution with notifications and reminders, on-line knowledge access with training and testing, and on-line, real-time compliance management and measurement -- all together and integrated in TotalCompliance.

• Basel II

• CA SB1386

• Canadian Privacy

• Common Criteria

• EU data Protection

• FDA 21/ CFR 11




• ISO 17799 and 27002

• Patriot Act


• SOX (Sarbanes-Oxley)

Basel II

Established: 1988

Jurisdiction: G-10 Member Countries*, Banking

Potential Fines:In the US,$500,000 for each violation in the case of the proposed federal Personal Data Privacy and Security Act

The Basel Committee has played a leading role in standardizing bank regulations across jurisdictions. Its origins can be traced to 1974. The Basel Committee does not have legislative authority, but participant countries are implicitly bound to implement its banking recommendations.

Currently Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States) and Luxembourg.

CA SB1386


Jurisdiction: CA, General

Potential Fines:Fines and Prison time

California legislation SB 1386, signed into law in September 2002, requires all institutions and organizations that collect certain personal information to protect it against possible identity theft. If an incident occurs that involves the compromise of personal information, the individuals whose personal information may have been compromised must be notified; and, the designated campus authority must notify the Office of the President.

Canadian Privacy

Established: 1983

Jurisdiction: Canada, General

Potential Fines:

Canada has two federal privacy laws, the Privacy Act and the Personal Information Protection and Electronic Documents Act.

The Privacy Act took effect on July 1, 1983. This Act imposes obligations on some 150 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information. The Privacy Act gives individuals the right to access and request correction of personal information about themselves held by these federal government organizations.

Individuals are also protected by the Personal Information Protection and Electronic Documents Act (PIPEDA) that sets out ground rules for how private sector organizations may collect, use or disclose personal information in the course of commercial activities. The law gives individuals the right to access and request correction of the personal information these organizations may have collected about them.

Common CriteriaBack To Top

Established: 1998

Jurisdiction: World, General

Potential Fines:None, but product is not certified

The Common Criteria (CC) is an international ISO standard 15408 for computer security. Common Criteria describes a framework in which users can specify their security requirements, developers can make claims about the security attributes of their products, and evaluators can determine if products actually meet their claims. In other words, Common Criteria provides assurance that the process of specifying, developing, and evaluating a computer security product has been conducted in a rigorous manner.

EU data ProtectionBack To Top

Established: 1995

Jurisdiction: European Union, General

Potential Fines:Fines may be imposed on offenders of up to £5,000 in the magistrates court and maybe unlimited if convicted in the crown court.

The European Union enacted the Directive 95/46/EC of the European Parliament and of the Council on 24 October 1995. This act protects individuals with regard to the processing of personal data and on the free movement of such data to multiple countries within the Union and outside.

FDA 21/ CFR 11

Established: 1997

Jurisdiction: US, Federal Drug Administration

Potential Fines: None, The software does not get certified

The Food and Drug Administration (FDA) issued regulations that provide criteria for acceptance by FDA, under certain circumstances, of electronic records, electronic signatures, and handwritten signatures executed to electronic records as equivalent to paper records and handwritten signatures executed on paper. These regulations, which apply to all FDA program areas, are intended to permit the widest possible use of electronic technology, compatible with FDA’s responsibility to promote and protect public health. The use of electronic records as well as their submission to FDA is voluntary. Elsewhere in this issue of the Federal Register, FDA is publishing a document providing information concerning submissions that the agency is prepared to accept electronically.


Established: 2002

Jurisdiction: US, Federal Government

Potential Fines: with fines of up to $500,000, imprisonment for up to 15 years, or both. Organizations that violate the EEA may be fined up to $10,000.000. [15]

The Federal Information Security Management Act (Title III of the E-Government Act of 2002) is the primary legislation governing federal government information security. FISMA built and expanded upon earlier legislation and added particular emphasis to the management dimension of information security in the federal government. FISMA establishes stronger lines of management responsibility for information security and provides for substantial oversight by the legislative branch.


Established: 1999

Jurisdiction: US, financial

Potential Fines: Invite penalties of $100 to $250,000 and imprisonment of 5-10 years for serious infringement. Financial institutions that violate GLBA can invite fines to the tune of $1 million or 1 per cent of their total assets.

The Gramm-Leach-Bliley Act (GLBA), which is also known as the Financial Services Modernization Act of 1999, provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

The GLBA primarily sought to "modernize" financial services--that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use.


Established: 1996

Jurisdiction: US, healthcare

Potential Fines: HIPAA calls for severe civil and criminal penalties for noncompliance, including:

· Up to $25,000 for multiple violations of the same standard in a calendar year

· Up to $250,000 and/or imprisonment up to 10 years for known misuse of individually identifiable health information

HIPAA, or Health Insurance Portability and Accountability Act, was created in 1996 to help secure health insurance. Because people change jobs frequently, HIPAA was designed to help people carry health insurance throughout their job transitions. Thus the "Portability" in Health Insurance Portability and Accountability Act (HIPAA).

ISO 17799 and 27002

Established: 2000

Jurisdiction: World, General

Potential Fines: None

ISO/IEC 17799 is an information security standard published in December 2000 by the International Organization for Standardization and the International Electrotechnical Commission in 2000 entitled Information technology to have an extremely comprehensive “Code of practice” for information security management.

Patriot Act

Established: 2001

Jurisdiction: US, General

Potential Fines: Personal fines of up to $1 million per count and, in the case of individuals, a maximum of 10 to 12 years in jail per count.” Id. Civil fines can range from $11,000 to $275,000 per count.

The USA Patriot Act is short for "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism" Act of 2001 and is a controversial piece of federal legislation in the United States.

Passed after the September 11, 2001 attacks, the Act was formed in response to the terrorist attacks against the U.S., and dramatically expands the authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the United States and abroad. It is also used to detect and prosecute other alleged potential crimes such as providing false information on terrorism.


Established: 1934

Jurisdiction: US, Traded Stocks

Potential Fines: As much as $15 million

The SEC was established under the Securities Exchange Act of 1934 as an independent, nonpartisan, quasi judicial regulatory agency charged with administering federal securities laws. The purpose of these laws is to protect investors in securities markets that operate fairly and to ensure that investors have access to disclosure of all material information concerning publicly traded securities. The Commission also regulates firms engaged in the purchase or sale of securities, people who provide investment advice, and investment companies. The Commission derives its authorities from and enforces the following laws:

Securities Act of 1933

Securities Exchange Act of 1934

Investment Company Act of 1940

Investment Adviser Act of 1940

Public Utility Holding Company Act of 1935

Trust Indenture Act of 1939

SOX (Sarbanes-Oxley)

Established: 2002

Jurisdiction: US, Public Companies

Potential Fines:

For firms: up to $2 million per violation, up to a maximum of $15 million.

For individuals: a fine up to $100,000 for each violation, up to a maximum of $750,000.

The Sarbanes-Oxley Act (officially titled the Public Company Accounting Reform and Investor Protection Act of 2002) and commonly called SOX or Sarbox, signed into law on 30 July 2002 by President Bush, is considered the most significant change to federal securities laws in the United States since 1933-1937 (The New Deal). It adopts tough new provisions intended to deter and punish corporate and accounting fraud and corruption, threatening severe penalties for wrongdoers, and protecting the interests of workers and shareholders. It came in the wake of a series of corporate financial scandals, including those affecting Enron, Arthur Andersen, and WorldCom.