Electrical contractors increasingly perform scheduled or preventative maintenance of commercial, institutional and industrial buildings. While that might seem to be a logical extension of the contracting business, some laws on the books could make life a little more complicated for the unsuspecting maintenance contractor. Befitting the information age, data -security is the focal point of a number of regulatory schemes designed to detect fraud and ensure privacy. Contractors need to understand these laws, their impact on customers and, ultimately, the implications for their own businesses.
A recent study conducted by ELECTRICAL CONTRACTOR found that 75 percent of the contractors surveyed provide maintenance services to their customers. Large firms dominated the market for maintenance of buildings that house mid- to large-scale enterprises, including healthcare, education, government, manufacturing plants, factories and warehouses. Unlike their brethren who specialize in residential or light commercial contract work, those providing maintenance services to larger facilities require considerable awareness of their customers’ regulatory compliance concerns.
First and foremost among them is the Sarbanes-Oxley Act of 2002, passed by Congress after a spate of corporate scandals involving companies, such as Enron, Global Crossing, WorldCom and Tyco, roiled the financial markets and undermined the public’s faith in the integrity of its business leaders. Section 404 of the law requires all publicly held companies to submit an annual assessment of the effectiveness of their internal financial controls to the Securities and Exchange Commission. An external auditor then must audit and report on each company’s internal financial controls.
Sarbanes-Oxley (SOx) also requires financial reports to be easily traceable back to source data. Any changes to source data must be documented, noting anything that was added, deleted or changed; by whom; at what date and time; and for what reason. The bill’s requirements also apply to private companies planning to go public.
What happens if companies fail to comply? They could pay hefty fines, and their executives could go to jail. A company official found noncompliant with the act, for instance, could receive jail time of up to 10 years and a fine of $1 million, regardless of whether the noncompliance was intentional.
Needless to say, company directors and officials are paying close attention. Electrical contractors need to do so as well, especially those having access to the systems that store and use the data audited under SOx or to the areas that house the data and networking equipment. The law applies to data centers, telecommunications facilities and cable installations.
Carrie Higbie, global director of data center solutions and services for the Siemon Co., Watertown, Conn., said that SOx largely targets low-voltage maintenance and involves the documentation of maintenance moves, adds and changes as well as documentation of the network when installed through as-built drawings.
“Every interaction with company systems and networks that hold company financial data must be tracked and audited,” Higbie said. “In order for a company comptroller to certify who has had access to data, information technology staff must now be centrally involved. That, in turn, affects low-voltage electrical maintenance workers, their ingress and egress, and each interface with the system.”
It requires better contractor interface with the company security and networking personnel. Contractors may need to get security and background checks in order to gain access to a job where sensitive data is accessible. Trusted or clearanced contractors are mandatory in institutions and businesses involved in homeland security, but an increasing number of institutions in healthcare and financial markets are requiring background checks for their contractors and consultants.
Higbie said such requirements are generally included in part of the bid process for a given contract. It’s usually up to the customer to determine how strict these requirements are for any given trade. For some contractors, the additional expenses required for background checks and other regulatory requirements may be cost-prohibitive.
Low-voltage network and telephone cabling is an increasingly specialized field, with its own set of regulatory issues. It is, thus, becoming more rare to see high- and low-voltage maintenance ganged together in a single bid. While high-voltage electrical wiring practices have changed little over the years, data wiring and cabling practices have changed dramatically. Moreover, the importance of network cabling has grown; more real-time applications and data access demand a high-quality, reliable infrastructure. Electrical contractors who sub out low-voltage portions of the contracts may have additional reporting requirements for subcontracting firms.
Another point of regulatory concern for contractors is the Health Insurance Portability and Accountability Act (HIPAA). How would such a law affect electrical contractor maintenance work? Again, the key word is data. Virtually all healthcare organizations, including all healthcare providers, health plans, public health authorities, healthcare clearing-houses and self-ensured employers, are subject to HIPAA regulations. So are life insurers, information systems vendors, various service organizations and universities.
HIPAA was passed in 1996 and amended the Internal Revenue Service Code of 1986. The act called upon the Department of Health and Human Services to publish new rules to ensure the following:
The penalties for noncompliance with HIPAA, while not as stiff as those for SOx violations, are nonetheless hefty. Fines can run up to $250,000 and/or imprisonment for up to 10 years for knowing misuse of individually identifiable health information. With that at stake, organizations and businesses will go to great lengths to document each and every interaction with systems holding their health data. It is, consequently, imperative that contractors understand these requirements and work with facility managers to ensure full compliance. One HIPAA compliance requirement, in fact, calls for the development and maintenance of an internal privacy and security management and enforcement infrastructure, including provision for a privacy officer and a security officer.
One more data-related regulatory scheme, not quite as sweeping as SOx and HIPAA, is the U.S. Food and Drug Administration Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11). CFR 11, as it is commonly called, is directed at the Internet-centric pharmaceutical industry. Compliance is required of anyone involved in the development, manufacturing and marketing of life sciences products, including drugs, diagnostics and medical devices.
The legislative intent was to prevent fraud while permitting the widest possible use of electronic technology to reduce cost and paperwork. While the cost of compliance might be high, the cost of noncompliance could be much higher. If a company fails to meet these Food and Drug Administration requirements, it could be faced with a denial of a new drug application, potential delays in manufacturing, civil penalties and perhaps even prosecution for negligence. Millions of dollars are at stake.
Pharmaceutical companies, over the past decade and a half, have increasingly migrated to online services and processes. They use e-mail for research collaboration projects and communication during clinical trials. They use Web servers to store and access information, such as test and laboratory results. But there are much less prosaic uses of health information technology beginning to emerge, for example, remote monitoring of patients through medical devices connected to the Internet.
CFR 11 rules apply to electronic records defined as “any combination of text, graphics, data, audio, pictorial, or other information in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system.” They also apply to any records covered by the FDA that exist in an electronic form. As with similar data protection rules, CFR 11 requires limiting system access to authorized individuals and use of secure, computer-generated, time-stamped audit trails.
It is clear that contractors doing electrical systems maintenance in pharmaceutical facilities will encounter security systems designed to safeguard health information and ensure traceability and will have to make accommodations accordingly.
While the demand for electronic data and the systems that carry it may seem to bring burdens not carried in the days before networks spun an intricate web around the globe, it also, as with most challenges, brings opportunity. According to Siemon’s Higbie, “The worldwide shortage of power, and its expense in the face of red-hot demand, makes it incumbent on businesses to make their data centers as energy efficient as possible. Forty-four percent of the cost of owning a data center is attributable to the cost of energy it takes to power it. Reducing energy use will not only improve the bottom line, it will have a significantly beneficial impact on the environment. And the information technology industry needs a bit of a facelift in that regard. It has, counterintuitively, the same carbon footprint as the aviation industry.”
Electrical contract maintenance providers are, thus, in a unique position to help businesses, organizations and governments identify opportunities to reduce energy consumption of their data network systems both in the short and in the long term. By assessing the company’s electrical efficiency and recommending means of improving it, contractors can do a favor for their customers and for themselves.
Finally, some observers of the implementation of the Sarbanes-Oxley bill also point out that because of the vagueness of some of its requirements, companies afraid of running afoul of the law might go further than necessary to ensure compliance and avoidance of penalties. This, too, may well accrue to the benefit of contractors, consultants and vendors. Another -silver lining.
HAMILTON, a former vice president of communications for the National Electrical Manufacturers Association, is a freelance writer and artist living in Parkton, Md., and can be reached at firstname.lastname@example.org.