Compliance is the new red flag in corporate IT these days. Some have equated its importance to the bygone days of Y2K, while others claim that vendors have taken undue advantage of the role IT should play in the government's stream of new data retention regulations.
According to Peter Gerr, senior research analyst at the Enterprise Storage Group, there are over 15,000 regulations in the U.S. alone that govern the handling of data. Gerr shared this statistic while moderating a panel on the subject of compliance at Storage Decisions.
From Sarbanes-Oxley (that largely impacts the efforts of publicly traded companies) to the more niche-specific regulations such as the Health Insurance Protection and Portability Act (HIPPA), Gerr reiterated to a full house of attendees the importance of setting IT policies and being able to track your data via some form of information lifecycle management (ILM).
But, compliance waters can get decidedly murky, since much of the legislation is often left intentionally vague by lawmakers.
Steve Fike, a panelist and senior technical specialist at BJC Health Care, shared some of the challenges with interpreting HIPPA requirements and still providing for the needs of the business. "Users want access to the electronic data and they want it now," he said. "Getting responsiveness in the data and yet making it compliant is really hard."
Another panelist, Cofounder and Executive Chairman of Steelpoint Technologies Michael Sullivan,
Securities attorney Jeffrey Plotkin brought another perspective to the table. From his viewpoint and that of the courts, the primary driver for much of these regulations is the "ability to do effective, elctronic discovery," he said.
Before going into private practice, Plotkin worked for the Securities Exchange Commission as the chief attorney of the New York broker/dealer division. While there, he witnessed first-hand the penalties financial service companies incurred for noncompliance, specifically in regards to handling of e-mails. "Broker/dealers have long been required to retain copies of every e-mail," noting ironically that both those who retained e-mail, and those who did not, got into trouble with the laws.
Citing cases where all e-mails regarding a specific subject matter at a firm were subpoenaed, Plotkin claimed that this might sometimes mean companies would incur the cost of the discovery team having to write custom software to access the documents a company may have archived to older backup tape formats.
Getting back to ILM, Michael Sullivan indicated "If you didn't have a records management practice [to address compliance issues], you're probably already putting one in place."
Consultants on the panel agreed that each industry needs to look at the legislative requirements impacting it. When crafting policies on the types of data to archive versus delete, IT personnel also need to look at the specific needs of their business. In the energy sector, for instance, one attendee indicated their IT group receives discovery requests once every two weeks for back e-mails related to specific legal proceedings.
In the end, Gerr provided a few general requirements for long-term, compliant records, based on a recent compliance study conducted by his firm. He said you should look at your data in the following four ways:
- Discovery - Can I retrieve or recover it?
- Legibility - Can I read it today and tomorrow?
- Authenticity - Can I verify it's the original?
- Auditability - Can I provide for third party review?
Related presentation slides and other links to the full session proceedings are available here.
About the moderator: Peter Gerr is the senior research analyst at Enterprise Storage Group in Milford, Mass.
This was first published in September 2003