The point of this history lesson is that no matter how carefully we plan, and no matter how much we try to protect ourselves from harm, it's often not the big, obvious things but the simple things below the radar that may be our undoing in the end.
This is a particularly important lesson for those charged with the business battle of assuring that their companies meet Section 404 and other requirements of the Sarbanes-Oxley Act (SOX). Because despite the many intricate and hardened systems that are put in place to secure electronic documents and verify the accuracy of their contents, there is a gaping vulnerability in almost every system: the fax machine.
Think about it. What types of documents are normally sent via fax rather than email? Normally they are legal documents, such as contracts, loan applications, medical records, and employment information, and other documents that require a signature for verification. In other words, key documents that affect both the financial and legal health of the organization.
Now think about where that fax machine sits. Usually, it is in a common area such as a mail room, on top of a file cabinet, or in a passageway between offices or cubicles — somewhere that allows anyone walking by to see the contents of those important legal or financial documents. Beginning to see the chinks in that armor yet?
Next, think about the form factor of those key documents. They come in as paper, which means they can be easily lost, misplaced, or misfiled. They can also be accidentally gathered up and thrown out with the daily newspaper or the debris from your lunchtime sandwich. Even if they are properly filed, they can be difficult to access quickly if you have to endure an audit — particularly if you are in the financial industry which sends and receives a large number of faxes each month. And before they get to their intended recipients, how many sets of eyes with low security clearances will they pass in the process of getting from the machine to the right desk? Talk about a lack of internal controls!
Shoring Up the Armor
Before you begin to feel like your SOX quest is doomed to failure, however, there is a way to fix this vulnerability. The solution is Internet faxing, a technology that allows you to use compliance and security measures already in place for PCs to provide complete monitoring, protection, and control over faxed documents.
This new twist on an older technology eliminates many of the compliance and privacy concerns facing public companies by taking the fax machine out of the equation. Instead, faxes are sent and received as attachments directly via the user's email account or are downloaded from a secure server. Internet faxing solves several compliance concerns, including:
- Providing greater control over important financial and legal documents (as required by Section 404)
- Guarding against unauthorized viewing of confidential materials that could lead to insider trading by minimizing handling
- Protecting personal information such as that required by the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
- Assuring that faxed documents can be accessed and backed up, creating an electronic paper trail to verify financial and legal statements
As anyone concerned with compliance issues knows well, Section 404 of SOX requires every public company to issue an annual report that contains "an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." Yet when it comes to faxes being sent and received via a fax machine, often there are no controls in place at all. Which means that important confidential financial and legal information is being transmitted through the electronic equivalent of shouting it out the window.
Consider the path of the typical inbound fax. It comes in to an unattended machine where it may sit in the tray for 15 minutes to four hours, depending on the size of the company and its processes for managing faxes. Distribution of faxes may be considered "everyone's job" — i.e., whoever sees it grabs it and delivers it to the intended recipient — or there may be a single person or small group of people who have that responsibility. Whoever finds the fax has to look for a cover page, especially if there are several in the tray, and determine where it goes. In the meantime, they're rifling through everything else to sort out what goes where.
Best-case scenario, the fax is delivered to the person for whom it is intended. Not-so-good-case scenario, it's delivered to the wrong person, thus exposing the contents to even more people. Worst-case scenario, it is accidentally discarded along with an opportunity to win a three-day, four-night stay at the Oceanside hotel in Key Largo, Florida. Not exactly the picture of airtight control you want to paint for an auditor.
With an Internet faxing solution in place, the organization has a controllable, verifiable, and automated system in place to manage the deliver of faxed documents. They are sent and received by the person directly involved with the document, without any intervention by anyone else.
Best Evidence
Title VIII, the Corporate and Criminal Fraud Accountability Act of 2002, states that "It is a felony to 'knowingly' destroy or create documents to 'impede, obstruct, or influence' any existing or contemplated federal investigation." Yet the practice still goes on, and will continue to as long as flawed human beings are involved.
Human nature, however, does not excuse the organization from its responsibilities. This is an area where Internet faxing is clearly superior to paper faxes.
Let's face it, paper documents can be shredded quickly and easily, leaving no trace of transactions or correspondence. Because of this fact, they form a glaring weakness in the armor of corporate compliance. Because Internet faxes are electronic, they can be classified, stored, and archived like any other document. They can be backed up to a secure site or on tapes/disks and brought back later. They can also be stored by the Internet fax service, providing further safeguards in the event of a disaster — whether it's accidental or intentional.
How Internet Faxing Works There are two basic methods for using Internet faxes. With the email method, the fax is either sent or received directly through the user's email account. Inbound faxes arrive as an attachment to an email, either in PDF or another document format the user specifies. Generally, a preview is also provided, allowing the recipient to review the fax without opening it to determine if the message is urgent or can wait until later. The second method, sending and receiving via a secure server, offers even greater protection. Rather than delivering the actual fax, the secure server method sends an email notification alert to the users when faxes come into their accounts. Users then go to a password-protected site where the fax sits in a secure, encrypted in-box on a secure socket layer (SSL)-enabled server. Ideally, the documents will be protected by 128-bit encryption (such as that from VeriSign), 1024-bit public keys, and PGP public key/private key security encryption. After logging in, users are able to view the fax and/or download it to their computer. This same method can be used in reverse to send a fax, leaving no trace of the original fax in an Outlook or other mail server "sent" file. The secure server method provides the ultimate in SOX-compliant security for the most sensitive documents. Delivery of every sent fax is confirmed via e-mail, with the name of the recipient plus the day and time of arrival included. This method not only provides immediate assurance that documents have reached their destination for the normal conduct of business; it also provides physical evidence of delivery should a question arise. From a business perspective, it also avoids delays in receiving and distributing faxes that can lead to missed deals. |
Claim Victory
No knight would willingly go into battle knowing his armor was flawed. Now that you're aware of this chink in your SOX armor, you shouldn't either.
Moving to an Internet fax solution lets you finish the job you started and provide additional SOX (and other compliance) protection to some of your most sensitive documents. It may not make you a legend, but you'll definitely sleep better at night.
About the Author
Steve Adams is Vice President of Marketing for MyFax, a provider of Internet faxing services for individual home users, small businesses, and large corporations. MyFax has won a number of awards in head-to-head competitions for ease of use, reliability, and best overall value. Steve Adams can be reached at sadams@protus.com.