SOX, HIPAA in a Nutshell - Storage Technology Magazine
Reduced to their simplest terms, the two big compliance regulations, Sarbanes Oxley (SOX) and The Health Insurance Portability and Accountability Act (HIPAA), go something like this: SOX defines which business records a company must store and for how long. HIPAA states who can view stored data as well as when the data must be destroyed.

From a storage perspective, the difference between SOX and HIPAA boils down to ensuring data permanence vs. data privacy, respectively.

In other words, with SOX--as well as SEC 17a-4--a company must prove that its data has not been altered from the time it was stored to the time it was retrieved. Krish Padmanabhan, director of data protection and reference storage solutions at NetApp, puts it more bluntly: "The SEC doesn't give a rat's ass if you leak the information--you just can't modify it."

Peter Gerr, analyst at Enterprise Storage Group, Milford, MA, points to write once, read many (WORM) media as the preferred choice for data permanence because it is inherently unalterable.

HIPAA or Gramm-Leach-Bliley, meanwhile, fall under the data privacy umbrella, where leaking information is the big no-no. Complying with data privacy regulations, says NetApp's Padmanabhan, is threefold: One, provide comprehensive access control; two, provide an audit trail of who has accessed what storage and when; and three, dispose of the data properly once its retention period is up.

The problem with many of the data privacy regulations,

    Requires Free Membership to View

    Login

    When you register for SearchStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to keep you informed on the hottest topics, the latest news and the biggest challenges you face as a storage professional today.

    Rich Castagna, Editorial Director

    By submitting your registration information to SearchStorage.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchStorage.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

according to Padmanabhan, is that "the government doesn't tell you specifically what you need to do." In contrast, data permanence regulations such as SEC 17a-4 "are actually fairly specific," he says.

But according to Gerr, all regulations, whether in the data permanence or the data privacy camp, are challenging because all require a shift in how storage systems are managed. "It's hard to convince storage managers who are still struggling with backup and recovery to also keep an eye on security and retention periods," says Gerr. "That's a discussion that should start higher up in the organization."

--Shane O'Neill

This was first published in July 2004

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top