Moving Toward Internet Compliance

By Tony Rundella

(Back to article)

The growing need to supply information to the public and the community of customers, suppliers and business partners require companies focus their attention on information delivery.

In order to ensure the quality and integrity of the information they supply, the corporate enterprise has a growing need to develop processes along with associated policies and guidelines to aid in the distribution of information over the Internet.

Why focus your attention on Internet compliance?

There are a number of reasons to address information delivery over the Net: reputation; violation of credo, principles and ethics; advertising compliance; and privacy violations that could lead to law suits.

Corporations have a responsibility to provide leadership for the development of effective programs and processes that improve the quality, compliance and integrity of their websites and the information they deliver.

With a defined quality compliance process you can reduce risks, reduce costs to implement, experience a better return on investment, and reduce time to deploy websites.

These processes and guidelines also ensure the corporate legal, regulatory and credo standards are enforced.

Innovative companies are creating a corporate function to research the legal, regulatory, advertising and marketing components of information being distributed over the Net, an Internet Compliance Office, if you will.

This office is responsible for the collection and distribution of policies, procedures and guidelines that govern Internet compliant websites as well as the processes to stay in compliance.

Companies are also establishing compliance teams that consist of Internet compliance authorities, subject matter experts, and technical liaisons trained in the policies and guidelines that govern Internet compliance. These teams are involved in writing standard operating procedures for content approval, document closure and obtaining corporate approval.

They are also responsible for managing the auditing and monitoring of corporate websites to ensure they continue to meet compliance standards.

Internet compliance methodology’s are also being developed to define the development of compliant websites. These, in essence, are mini system development lifecycles that outline the lifespan of an Internet site from conception to retirement.

The steps for establishing a compliance environment include:

  • establishing a working compliance team.
  • educating the team on all aspects of compliance policies.
  • developing and utilizing established corporate policies, guidelines and procedures.
  • writing local standard operating procedures (SOP) for content approval and all other aspects of compliance.
  • developing the sites using the compliance process, document closure and obtaining local approvals.
  • managing the team changes, improving the SOP’s and auditing the compliance environment process.
  • The following is an example of a seven stage process for developing a compliant Internet website:

  • Stage 1: Website Conception
  • Stage 2: Access and Apply Internet Compliance Policies, Guidelines & Procedures
  • Stage 3: Resolve Design, Content & Technical Issues
  • Stage 4: Site Development
  • Stage 5: Site Testing
  • Stage 6: Document Compliance Closure
  • Stage 7: Site Deployment and Monitoring
  • Web Site Conception

    In this stage of the process the organization has initiated the potential development of a website to meet a business need. A business case is developed to define the site objectives, the site’s target audience and the site’s intended function.

    A site owner should also be identified and metrics established to measure the success of the site. The site owner should also identify the potential site developer(s) and the potential site host(s).

    Once a business case and a decision is made to move forward with the site, the owner is responsible for registering the domain name through the proper channels within the organization.

    He or she is also responsible for providing the site developer and host with the compliance policies, guidelines and procedures established to develop a compliant Internet website.

    Access & Apply Policies

    Domain name registration should adhere to an established corporate policy and procedure. In this stage of the process the internet compliance owner registers the domain names(s) following the established procedures.

    Copyright and protection of site images must be reviewed to insure the website design will comply with their use. Legal notice(s), company name and logo use policies should also be reviewed to ensure they are properly incorporated on the site.

    Corporate product and service trademark polices must be addressed to ensure appropriate use. A statement of responsibility to clearly identify the legal site owner is used when applicable.

    Privacy and personally identifiable information (PII) must also be addressed in this stage of website development. There are several forms of sensitive information that may be collected or distributed via an Internet site. PII (via Email), information from children under the age of 13, employee ID information, etc. Financial transactions and medical information are good examples of sensitive information.

    Email communications should be reviewed and approved in accordance with local and, if applicable, regional content review procedures including legal departments for all countries involved.

    Linking and framing polices guiding the linking to acceptable sites must be applied to the new website. The use of framing technology to third party websites, linking disclaimers and links to blogs must also be reviewed in this stage of the process.

    Any potentially patentable inventions or ideas described on or collected by the website must be reviewed by a local operating company patent attorney. Web content designers must also ensure that all product-related content is compliant with any applicable product registration requirements, promotional and advertising requirements set by the locale’s ministry.

    A geographic disclaimer template may be required to ensure that the site is targeted to a country or countries where all content, including product information, applies.

    The website developer and host must also confirm they are meeting information asset protection requirements. They must:

  • ensure secure firewalls and data storage comply with corporate information asset protection policies.
  • Ensure e-commerce interactions and connections are protected to assure confidentiality and integrity of all customer and vendor information.
  • Ensure the corporate information categorized as proprietary or confidential is protected.
  • Ensure that sites use personal identification numbers and/or passwords to secure information when applicable.
  • Resolve Design, Content & Technical Issues

    A company’s image must not be compromised. The credo principles a company has established and adheres to must not be violated due to content on websites. This applies to textual content, all other forms of static images, video and audio content and the presentation of content in context to other content.

    A website review with consideration to its content should address key questions. Does the website:

  • contain sensitive information?
  • contain or address medical advice or consultation?
  • process e-commerce or information transactions or contain pricing information?
  • contain information or transactions regulated by healthcare compliance requirements?
  • advertise product and/or services?
  • identify company employees?
  • Sensitive information, medical advice or consultation must be reviewed by the company’s copy clearance team. In general medical advice should not be given to consumers over the Net.

    Web content must also be reviewed to determine if the site contains information that must meet corporate healthcare compliance requirements.

    You may also consider:

  • false claims.
  • Food and Drug Administration advertising rules.
  • state professional practice laws.
  • industry standards.
  • U.S.-based companies selling to customers over the Internet are subject to U.S. export laws and regulations. They have a legal obligation to support prohibition of business transactions with certain entities and individuals. U.S. companies also have a legal obligation to support boycotts and trade embargoes of friends and allies.

    You must obtain regulatory and advertising copy review for products and services sold over the Net. Internet sites must present information about products in a fair manner with an equal presentation of the benefits and risks of the product. Especially if you are marketing children's products.

    Products intended for children should:

  • not be sold directly to children on-line.
  • not invite a child to use a parent’s credit card for purchase.
  • address parental concerns.
  • Advertising products and/or services over the Net may be subject to country's rules and regulations. Some countries require password protection for reimbursable product information. Disclaimer information may also be required for goods and services sold over the Net.

    Creditable references must be cited when making promotional claims. These references may be from journals, books and credible professional and/or government organizations.

    In general, a corporate employee should not be identified by name or image on a website. If identifying an employee by name or image on a site, you must obtain consent in writing utilizing an employee consent and release form.

    Once the site content and basic framework of the website is completed, the site content must be submitted to a “local” copy review. This process is similar to content review that is distributed to a designated receiving audience (i.e., print brochure content reviews).

    Hosting and technical compliance requirements must also be addressed in accordance with the established network and computing services guidelines.

    Review the company’s recommended conventions for site hosting in a shared or dedicated infrastructure. Ensure the Web services provided are compatible to established network and computing services guidelines and procedures.

    At the conclusion of this stage the major compliance components should be in place and the website prototype is ready for development.

    Site Development

    The Internet site owner works with the site developer and the deployment teams to develop a site utilizing corporate infrastructure and application guidelines.

    If using a third-party vendor, it is strongly advisable third-party developers and/or server host locations use software and hardware platforms that would be easily transportable to an in-house environment. This facilitates an easier transfer, should the operating company decide to bring an existing production website in-house.

    Hosting site technical security issues must be addressed to ensure compliance requirements are met. Legal issues surrounding any third-party development and/or hosting contracts must also be established and in place with the appropriate approvals and signoffs.

    Websites should be developed utilizing corporate infrastructure and application guidelines. It is recommended that all websites comply with the guidelines set forth by corporate network and computing services.

    Site Testing

    The validation test actually verifies the functional requirements of the site are performed as per specification in the original design.

    A compliance validation plan and test results demonstrate that the final work product, including all site management and related database software and network components, works as it was designed and meets all corporate compliance standards.

    The site functional requirements are inventoried and test scripts are developed to validate each function. The functional requirements are tested in accordance with the test plans and the test results are documented.

    Testers should attempt to “break” the website. This includes entering incorrect data into any interactive features that should result in a notice that points out the error to the end user and provides guidance on entering data correctly.

    At this stage the testing results are reviewed and approved to ensure that the site meets the design and functional requirements defined.

    Document Compliance Closure

    After validation testing has successfully been completed, final site compliance closure reviews are conducted and appropriate local approvals are obtained. The local marketing organization will review the site for brand content.

    The local operating company will have their regulatory affairs and a corporate attorney review the site for regulated content and legal compliance. The local Internet compliance authority will also perform a review of the site to insure site administration and overall compliance is in place.

    Local technical, privacy and security representatives perform a review to ensure hosting, technical security and privacy compliance is met for the site and associated databases.

    Local marketing approval on site ensures all content and functionality is reviewed. Local regulatory and legal approval on site ensures that local operating company written approvals are obtained from the Regulatory Department and the corporate attorney.

    Internet compliance authority approval ensures the corporate Internet compliance policies, guidelines and procedures are met. Local technical, privacy and security approval ensures protected access to the corporate site via a secure network and the site is compliant with corporate privacy standards.

    Site Deployment and Monitoring

    In the last stage of the process you must ensure the site is deployed with supporting documentation, that monitoring procedures are established and that the website is properly maintained.

    Periodic site monitoring should be conduced by key operating company personnel and success measures compiled and reviewed. The use of software monitoring tools is recommended to check the site’s performance.

    An on-going monitoring plan should be established to periodically revisit the site to ensure that the site as well as it links remains compliant.

    By developing policies, guidelines and procedures and applying them in the design and development of a corporate website, the corporate enterprise is now moving toward Internet compliance. Through testing and reviews, the company ensures compliance closure. Compliance continuity is reinforced by on-going monitoring and maintenance after the website is deployed.

    Innovative corporations are now adopting Internet compliance as a best practice to ensure they safeguard their Internet connection for the future.

    Tony Rundella is a consultant with Delta Corporate Services, a business and technology consulting organization servicing the federal government and fortune-level companies throughout the United States.