Establishing proper records retention policies for today's virtual records is on the minds of many storage
managers. And, with good reason. IT staffers manning the controls behind today's financial services,
healthcare and publicly-traded companies are even now struggling to understand the latest torrent of
legal mandates that dictate how long certain data should be stored and in what capacity. They are
weighing both the cost of compliance and the potential cost of noncompliance.
To shed more light on this issue, the editors turned to the Milford, Mass.-based Enterprise Storage
Group, a storage analyst firm who recently produced its own few hundred page report on compliance
legislation, its impact on the storage industry and various vertical, corporate markets. For the benefit of
our readers, we've excerpted portions of this report's executive summary here. (To purchase the full
report or to inquire about receiving a free chapter download related to your industry, go to the Enterprise
Storage Group Web site).
Table of Contents
Introduction
Main research themes
Research scope and highlights
Compliance in the financial services industry
Compliance in the life sciences industry
Compliance in the healthcare industry
Compliance in the government industry
Conclusion
Introduction
The challenges and complexities involved in addressing compliance are magnified by the current
knowledge gap between regulated industries and the technology vendors trying to capitalize on the
perceived opportunities.
Technology vendors' confusion with and misinterpretation of the regulations adversely affects the
credibility of the products, solutions, and marketing messages they develop to address comp
SAMPLE COMPLIANCE REPORT
The language that appears in the template below is intended to assist dealers with the preparation of compliance
reports that the Red Flags Rule requires dealership staff to submit to the dealership board of directors, an
appropriate board committee, or a designated senior management employee on at least an annual basis. The
template refers to three exhibits (A, B, and C) which do not appear in this publication and which your dealership
would have to prepare if it chooses to adopt this reporting format. The template language that appears below is
offered for illustrative purposes only. Consult your attorney concerning the language that your dealership should
use to satisfy its reporting obligation.
Annual [or Special] Report on The Identity Theft Prevention Program of [Dealership
Name]
Pursuant to Section 17 of the Identity Theft Prevention Program (ITPP) adopted by [Dealership Name]
(Dealership), this report (“Report”) is submitted to the Compliance Officer [or board of directors, a board
committee, or other member of senior management] by the Program Coordinator and staff responsible for the
development, implementation, and administration of the ITPP. This Report is intended to support and strengthen
the ITPP and comply with its reporting requirements.
As reflected by written attendance records and signed acknowledgment forms reviewed by the Program
Coordinator, all Dealership employees having duties with respect to account opening or maintenance have
received training under the ITPP and have agreed to abide by its terms. In addition, all new employees with such
duties receive training under the ITPP and sign acknowledgments agreeing to comply with its terms during the
orientation process.
[If there has already been a Report, add: Prior to this Report, the most recent Report prepared by the Program
Coordinators respecting the ITPP was dated and submitted to the Compliance Officer on
____________________________.]
[If there have been any amendments to the ITPP since the last Report, add: The most recent amendment to the
ITPP was adopted and dated __________________________.]
[Insert here a summary of each incident of identity theft reported on the log and for each incident describe the
response taken by management of the Dealership.]
3. Regulatory Guidance
Prior to preparing this Report, the Program Coordinator reviewed all Red Flags Rule materials at www.ftc.gov and
took other reasonable steps to identify applicable supervisory guidance by the FTC and other relevant regulatory
agencies respecting identity theft detection, prevention, and mitigation. Relevant guidance and other information
so obtained are summarized in Exhibit “B” attached to this Report.
[Here, the Program Coordinator should offer an evaluation of how the service provider arrangements are working,
such as: “The Dealership has relatively few arrangements with service providers, and all have executed the
contractual provisions required by the ITPP. All service providers appear to be in compliance with these
contractual obligations.”]
[Since Exhibit A reflects actual identity theft experiences, and Exhibit B reflects legal and regulatory
developments, this section will most likely be limited to administrative and management issues under the ITPP,
such as “the Program Coordinator needs an assistant.”]
[Here, include the Program Coordinator’s evaluation, such as: “The absence of any material identity theft incident
suggests that the policies and procedures set forth in the ITPP are effective at the present time in addressing the
risk of identity theft.”]
[Here, include the Program Coordinator’s conclusion and rationale, such as: “At this time, the effectiveness of the
existing policies and procedures and absence of any material developments in the other areas discussed in this
Report suggest that no material changes to the ITPP are necessary at this time.”]
Respectfully submitted,
______________________ _________________________________
Date Program Coordinator