Even though they have been around for quite some time now, the government regulations regarding privacy, security, disaster recovery and data retention are rearing their ugly heads in earnest. The WorldCom scandal and September 11th have changed things forever.
As an example, the SEC is actually starting to enforce the rules they put in place to protect clients and audit companies to rule out new scandals. Financial companies are being fined millions of dollars for not conforming to the SEC regulations regarding e-mail retention. This is great news for the storage industry though. Having to store six years worth of old e-mails and attachments can take up a LOT of space. The good news for consumers of storage is that the storage industry is busy creating exciting technology solutions to help your company comply and do it at the lowest possible cost.
So what are the regulations and whom do they affect? Let's take a closer look.
SEC Rule 17a-4: All financial services companies. This rule requires the retention of all customer records, financial transactions, bank records and buy and sell orders. All correspondence needs to be retained for around six years. This includes e-mail and perhaps Instant Messenger, if the company uses IM for transactions. You need to keep a secure copy of every transaction to be made available if the SEC audits the company.
HIPAA: The Health Insurance Portability and Accountability Act covers healthcare, insurance companies, hospitals, doctors, dentists and insurance clearing houses. This rule affects x-rays, digital scans and medical records. Basically, all patient related information must be protected and possibly encrypted when transferred electronically.
DOD 5015.2: Department of Defense records management standard. This standard focuses on records management and applications used by the department of defense. They are developing a list of certified solutions for use by the government that comply with best practice for security and retention. There are really no storage media requirements here, just certified application solutions that the DOD can use for records management. If your company develops records management applications for the government, you need to make sure the DOD has certified them.
21 CFR Part 11: Regulatory compliance for the drug industry. This rule affects all pharmaceutical companies, bio tech and laboratory device companies. This rule focuses on making sure product quality exists and helps minimize risks during drug manufacturing. It also covers security and electronic records storage.
This was a general overview of the regulations and whom they affect. There are many solutions being made available by the storage industry that can help your company conform. In my next column, I'll cover what those solutions are, and what to look out for when making a purchase decision.
This was first published in April 2003