SEC-Related Reference Not Relevant To CUs
I read "Not In E-Mail Compliance? Trouble
Obviously the headlines were meant to grab the readers' attention. While I am sure that many parts of the article are pertinent to credit unions, the paragraph about the SEC laying down the law and fining Wall Street firms $8 million in 2002 was a bit sensational. Most credit unions are not subject to SEC 17a-4 and DO NOT need to keep all their e-mails for six years. Even if a credit union were subject to SEC 17a-4, only the e-mail and documents affected by that statute would need to be kept for 6 years, not all e-mail. In fact, a recent Surpreme Court decision in the Enron case has prompted many law firms to advise their clients to get rid of e-mails and other documents unless they are actually required by law, have some critical value to the on-going operations of the credit union or have some relevance in a legal case. It should also be pointed out that law firms are giving this advice regardless of whether the documents are stored in original form or stored electronically.
Your readers need good solid advice. What they don't need is an article that sends them off on campaign to save all their e-mail for six years.
David J. Wright, CEO
Services Center FCU, Yankton, S.D.
SOX Only Applies To Publicly Traded Companies
Regarding your article in the 9/26/05 issue of The Credit Union Journal titled "Not In E-Mail Compliance? Trouble
I have found nothing that says GLB requires you to retain e-mail for any length of time, nor have I found any requirement that all outbound e-mail be scanned for non-public financial information. The law says that you need to protect non-public financial information-it need not be an automated technical approach.
In the past I have asked examiners and auditors if these types of systems are required, and their answer has always been "NO." Those requirements are specified as part of Sarbanes-Oxley and do not apply to credit unions.
If The Credit Union Journal feels I'm incorrect in this assumption, then I would ask why the examiners, auditors, and compliance officers aren't telling us this. Besides that, why isn't every two-bit Internet company trying to sell us the solution which is "required"?
Marc Kilgore, VP Information Systems
City & County CU, St. Paul, Minn.
Reporter Responds To Statements
Both readers are right in that GLB is not specific as to the number of years e-mail is kept or how email is scanned. The article does not say and is not meant to infer that GLB requires CUs to keep e-mails for any specific length of time or to scan e-mails for private financial information.
Instead, the article and AAFCU said that if CUs break e-mail GLB privacy and security laws, they may be subject to fines/jail. As far as I am aware, there is no legal precedent for how GLB will be interpreted in terms of e-mail storage or scanning, hence the credit union is interpreting GLB on the side of caution by acting in reference to the legal action against banks in violation of the SEC and SOX. The credit union has witnessed the crackdown on banks, and doesn't want to be the first credit union to experience the same.
AAFCU used to manually scan e-mails for private financial information; however, the CU said the manual process was prone to error and therefore not effective. The automated process is effective, as the article reported, even though it is not required by GLB.
Kevin Jepson, Technology Correspondent
