| Table 1: Major Compliance Legislation | |||
| Legislation | Jurisdiction | Sector | Main Provisions |
| SOX | US and multinational companies listed on US stock exchanges | All companies traded publicly on US stock exchanges; private companies in the accounting and finance sector | Particular focus on company officers and finance personnel; company officers can be imprisoned for up to 20 years for willfully deleting an email message in contemplation of a federal investigation; requires all correspondence (including electronic records) related to an audit or review of a public company to be retained for 5 years. |
| SEC Rule 240 Section 17a-4 (and National Association of Securities Dealers—NASD—regulations 3010/3110) | United States | Financial services | Records must be preserved exclusively in nonrewritable, nonerasable format; quality and accuracy of the media-recording process must be automatically verified; storage media must be serialized (i.e., stored in the order in which they are processed, or at least have meta-information to indicate the order) and time/date stamped; you must be able to readily download indexes and records; a duplicate copy of all records must be stored separately from the original; records must be retained for 6 years and in an easily accessible format for the first 2 years. |
| Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley Act) | United States | Financial institutions and firms offering financial products and services | Allows fines and up to 5 years imprisonment for company officers if institutions do not "ensure the security and confidentiality of customer records and information" and crucially "protect against any anticipated threats or hazards to the security or integrity of such records." |
| Basel II Capital Accord | 13 member countries of Basel Committee on Banking Supervision (mostly in Europe, but including the United States, India, and China) | Banking/financial companies (the European Union—EU—will apply the same rules to investment firms) | Full data capture must allow operational risk factors to be identified and analyzed; processes must have been in place from 2004 to allow implementation to begin in 2007 (2 years of data to be available). |
| Freedom of Information Act 2000 | UK (other European countries have similar acts) | Government | Gives anyone the right to access all information held by public bodies; information that isn't in the public interest can be withheld. |
| Data Protection Act 1998 | UK | All | Requires an organization to release all personal information held about an individual within 40 days of a request for same. |
| Title 21 Code of Federal Regulations (CFR) Part 11 | United States, but applicable to international companies trading in the United States | Pharmaceutical, beverage, food processing, blood handling, cosmetics, medical equipment, etc. | Calls for capture of electronic signatures and electronic records for security, traceability, and accountability of actions in regulated industries; data must be secure and auditable. |
| Swiss Code of Obligations (Articles 957/962) | Switzerland and companies that have subsidiaries operating in Switzerland | All | Requires accounting information and accounting documents to be retained for 10 years. |