Feature

SOX, HIPAA in a Nutshell

Ezine

This article can also be found in the Premium Editorial Download "Storage magazine: Email storage lessons learned from Citigroup."

Download it now to read this article plus other related content.

Reduced to their simplest terms, the two big compliance regulations, Sarbanes Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA),

Requires Free Membership to View

go something like this: SOX defines which business records a company must store and for how long. HIPAA states who can view stored data as well as when the data must be destroyed.

From a storage perspective, the difference between SOX and HIPAA boils down to ensuring data permanence vs. data privacy, respectively.

In other words, with SOX--as well as SEC 17a-4--a company must prove that its data has not been altered from the time it was stored to the time it was retrieved. Krish Padmanabhan, director of data protection and reference storage solutions at NetApp, puts it more bluntly: "The SEC doesn't give a rat's ass if you leak the information--you just can't modify it."

Peter Gerr, analyst at Enterprise Storage Group, Milford, MA, points to write once, read many (WORM) media as the preferred choice for data permanence because it is inherently unalterable.

HIPAA or Gramm-Leach-Bliley, meanwhile, fall under the data privacy umbrella, where leaking information is the big no-no. Complying with data privacy regulations, says NetApp's Padmanabhan, is threefold: One, provide comprehensive access control; two, provide an audit trail of who has accessed what storage and when; and three, dispose of the data properly once its retention period is up.

The problem with many of the data privacy regulations, according to Padmanabhan, is that "the government doesn't tell you specifically what you need to do." In contrast, data permanence regulations such as SEC 17a-4 "are actually fairly specific," he says.

But according to Gerr, all regulations, whether in the data permanence or the data privacy camp, are challenging because all require a shift in how storage systems are managed. "It's hard to convince storage managers who are still struggling with backup and recovery to also keep an eye on security and retention periods," says Gerr. "That's a discussion that should start higher up in the organization."

--Shane O'Neill

This was first published in July 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: