Compliance deadlines touched almost every business sector and division in 2005. Think the worst is over? Think again: It looks like 2006 and 2007 will see even more activity, demanding a whole new level of monitoring and record-keeping technology.
In 2006, companies based outside of the United States but publicly traded there must comply with Section 404 of Sarbanes-Oxley. Companies inside and outside the United States with a market capitalisation of less than $75 million will have until July 2007 to comply.
Beyond Sarbanes-Oxley, the sleeping giant on Capitol Hill is the mound of privacy bills now under consideration, according to French Caldwell, research vice president at Gartner. One of them, theres about 20, will make it through before the 2006 elections, Caldwell says.
That bill may very well include a data-protection directive that gives every US citizen the right to know, in real time, how their personal information is being used. And real-time monitoring and e-forensics - the ability to maintain an audit history of personal data - requires technologies most of the major credit card companies and banks dont have.
Data retention is also at the heart of revisions to the Federal Rules of Civil Procedure. Two in particular are ripe candidates for change in 06, according to Trent Dickey, a compliance attorney at Sills, Cummis, Epstein & Gross. Amendments to Rule 26 would require attorneys for both parties in litigation to talk about electronic document management. Rule 37f, a safe harbour regulation, would protect businesses that fail to come up with the documents required in a case but that can prove a good-faith effort.
Failing passage of 37f, courts may use precedents set in cases such as Zubulake v. UBS Warburg, a gender-discrimination suit in which the judge instructed the jury that if Warburg couldnt retrieve copies of communications about the plaintiff, the jury could assume that communication was damaging. Zubulake was awarded $20 million.
Then theres REACH (Registration, Evaluation and Authorization of Chemicals), a directive from the European Union with 06 and 07 deadlines, which requires an accounting for about 30,000 chemicals used in industry. The goal is to reduce the amount of hazardous chemicals in the environment. Eric Karofsky, senior research analyst at AMR, warns that REACH is going to require intense information sharing across disparate companies and industries. It will require IT infrastructure and applications that do not yet have the functionality to address these new requirements.
The list of regulations continues: In July 2006, ROHS (Restrictions on the Use of Certain Hazardous Substances in Electrical and Electronic Equipment) becomes EU law. It requires manufacturers to provide evidence that their products dont contain more than the restricted amount of six hazardous substances. In the United States, on 1 January, FALCPA (Food Allergen Labeling and Consumer Protection Act) kicked in. FALCPA requires manufacturers to include on labels in plain English descriptions of any ingredients that contain major food allergens.
According to Alison Smith, senior analyst at AMR, the new stack of regulations will require companies to re-engineer isolated business processes and integrate manufacturing into product lifecycle and process lifecycle management. Better start working on that. Now.