Faxes: The Achilles Heel In Your Compliance Armor

Just about anyone who has read Greek mythology (or seen the Brad Pitt movie Troy) is familiar with the story of Achilles. He was a mighty warrior who was destined to lead the Greeks against the Trojans in the battle for the abducted Helen. And to die there.

Perhaps the best-known part of the story is that his mother tried to protect him by dipping him into the river Styx in the Underworld, where all but the heel she used to hold him became invulnerable. Of course, as Murphy’s Law dictates, eventually an arrow found his heel and he died in battle anyway.

The point of the story is that no matter how carefully we plan, and no matter how much we try to protect ourselves from harm, it’s important not to overlook the simple things that may seem insignificant on the surface but may be our undoing in the end.

This is a particularly important lesson for those charged with assuring that their organization meets Section 404 and other requirements of the Sarbanes-Oxley Act. Because despite the many intricate and hardened systems that are put in place to secure electronic documents and verify the accuracy of their contents, there is a gaping vulnerability in almost every system: the fax machine.

Think about it. What types of documents are normally sent via fax rather than e-mail? Normally they are legal documents, such as contracts, letters of agreement, purchase orders, submitted RFPs, and other documents that require a signature for verification. In other words, they are key documents that affect both the financial and legal health of the organization.Now think about where that fax machine sits. Usually, it is in a common area such as a mail room, on top of a file cabinet, or in a passageway between offices or cubicles –- somewhere that allows anyone walking by to see the contents of those important legal or financial documents. Beginning to shudder yet?

Next think about the form factor of those key corporate documents. They come in as paper. Which means they can be easily lost, misplaced, or misfiled. They can also be accidentally gathered up and thrown out with the daily newspaper or the debris from your lunchtime sandwich. Even if they are properly filed they can be difficult to access quickly if you have to endure an audit -– particularly if you are in an industry, such as mortgage brokers and insurance companies, that sends and receives a large number of faxes each month. And before they get to their intended recipients, how many sets of eyes with low security clearances will they pass in the process of getting from the machine to the right desk? Talk about a lack of internal controls!

Before you fall into the same despair that came upon Achilles’ mother, however, there is a way to fix this vulnerability. And it doesn’t involve anything as perilous as a trip to the Underworld. The solution is Internet faxing, a technology that allows you to use compliance and security measures already in place for e-mail to provide complete monitoring, protection, and control over faxed documents.

This new twist on an older technology eliminates many of the compliance and privacy concerns facing public companies by taking the fax machine out of the equation. Instead, faxes are sent and received as attachments directly via the user’s e-mail account. This method solves several compliance concerns, including:

Gaining ControlAs anyone concerned with compliance issues knows well, Section 404 of SOX requires every public company to issue an annual report that contains "an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." Yet when it comes to faxes being sent and received via a fax machine, often there are no controls in place at all. Which means that important, confidential financial and legal information is being transmitted through the electronic equivalent of shouting it out the window.Consider the path of the typical inbound fax. It comes in to an unattended machine where it may sit in the tray for 15 minutes to four hours, depending on the organization’s processes for managing faxes. Distribution of faxes may be considered "everyone’s job," i.e. whoever sees it grabs it and delivers it to the intended recipient, or there may be a single person or small group of people who have that responsibility. Whoever finds the fax has to look for a cover page, especially if there are several in the tray, and determine where it goes. In the meantime, they’re rifling through everything else to sort out what goes where.

Best case scenario, the fax is delivered to the person for whom it is intended. Not so good case scenario, it’s delivered to the wrong person, thus exposing the contents to even more people. Worst case scenario, it is accidentally discarded along with an opportunity to win a three day, four night stay at the Oceanside hotel in Key Largo, Florida. Not exactly the picture of airtight control you want to paint for an auditor.

With an Internet faxing solution in place, the organization has a controllable, verifiable, and automated system in place to manage the deliver of faxed documents. They are sent and received by the person directly involved with the document, without any intervention by anyone else.

Delivery of every sent fax is confirmed via e-mail, with the name of the recipient plus the day and time of arrival included. This method not only provides immediate assurance that documents have reached their destination for the normal conduct of business; it also provides physical evidence of delivery should a question arise. From a business perspective, it also avoids delays in receiving and distributing faxes that can lead to missed deals.

There is an old saying in Washington that goes "if two people know, it’s no longer a secret." Yet a great many documents that can have a substantial effect on the stock price –- good or bad –- are sent via fax because they require a signature. One does not have to be a master criminal, however, to gain access to those documents, since both sent and received documents often sit in plain view.

An attorney’s request for written authorization to pursue activities related to a merger or acquisition is one example of that type of document. A CFO’s handwritten markings on a draft of the annual report is another.By going directly into the e-mail account of the intended recipient, faxes are protected from prying eyes that can do the organization harm, whether intentionally or unintentionally. These documents can be further secured by going into a special e-mail account that is password-protected, or setting your preferences to receive the fax as an encrypted e-mail.

Highly sensitive faxes can bypass e-mail altogether by being delivered to a secure Web site where they can be downloaded at a time and place that’s convenient for the user. This method eliminates the risk of an e-mail containing the fax from being intercepted or accessible on an internal e-mail server. While you can never close all the holes, should a question arise you can demonstrate to an auditor or inquisitor that you have made every effort to do so. And, in fact, have gone beyond what is usual and customary.

While legislation such as HIPAA was intended primarily for e-mail and Web applications, a case can certainly be made for extending its protection to faxed documents as well. Particularly since medical records are often faxed back and forth between individual healthcare providers, hospitals, and insurance companies.

Using Internet faxing rather than fax machines or even fax servers again demonstrates a “best effort” to protect the privacy of individuals, which in turn helps build the overall position of corporate compliance. It also helps protect the organization from information leakage that can lead to lawsuits, ultimately damaging both the organization’s reputation and the bottom line.

Best EvidenceTitle VIII, the Corporate and Criminal Fraud Accountability Act of 2002, states that "It is a felony to knowingly destroy or create documents to impede, obstruct or influence any existing or contemplated federal investigation." Yet the practice still goes on, and will continue to as long as flawed human beings are involved.Human nature, however, does not excuse the organization from its responsibilities. This is an area where Internet faxing is clearly superior to paper faxes.

Let’s face it. Paper documents can be shredded quickly and easily, leaving no trace of transactions or correspondence. Because of this fact, they form a glaring weakness in the armor of corporate compliance. Because Internet faxes are electronic, they can be classified, stored, and archived like any other document. They can be backed up to a secure site or on tapes/disks and brought back later. They can also be stored by the Internet fax service, providing further safeguards in the event of a disaster -– whether it’s accidental or intentional.

Avoid The Greek TragedyThere wasn’t much Achilles could do about his heel, and eventually he paid the price. You don’t have to suffer the same fate.

Moving to an Internet fax solution lets you finish the job you started and provide additional SOX (and other compliance) protection to some of your most sensitive documents. It may not make you a legend, but you’ll definitely sleep better at night.

Steve Adams is vice president of marketing for MyFax, a provider of Internet faxing services for individual home users, small businesses, and large corporations. He can be reached at [email protected].0