Tip

SD2003: Panel - Regulatory compliance and its impact on IT

Michele Hope, Senior site editor

Compliance is the new red flag in corporate IT these days. Some have equated its importance to the bygone days of Y2K, while others claim that vendors have taken undue advantage of the role IT should play in the government's stream of new data retention regulations.

According to Peter Gerr, senior research analyst at the Enterprise Storage Group, there are over 15,000 regulations in the U.S. alone that govern the handling of data. Gerr shared this statistic while moderating a panel on the subject of compliance at Storage Decisions.

From Sarbanes-Oxley (that largely impacts the efforts of publicly traded companies) to the more niche-specific regulations such as the Health Insurance Protection and Portability Act (HIPPA), Gerr reiterated to a full house of attendees the importance of setting IT policies and being able to track your data via some form of information lifecycle management (ILM).

But, compliance waters can get decidedly murky, since much of the legislation is often left intentionally vague by lawmakers.

Steve Fike, a panelist and senior technical specialist at BJC Health Care, shared some of the challenges with interpreting HIPPA requirements and still providing for the needs of the business. "Users want access to the electronic data and they want it now," he said. "Getting responsiveness in the data and yet making it compliant is really hard."

Another panelist, Cofounder and Executive Chairman of Steelpoint Technologies Michael Sullivan,

    Requires Free Membership to View

reiterated that "there's no magic bullet" when it comes to compliance efforts. "It's going to involve a lot of different people [at your organization] and a lot of different technologies."

Securities attorney Jeffrey Plotkin brought another perspective to the table. From his viewpoint and that of the courts, the primary driver for much of these regulations is the "ability to do effective, elctronic discovery," he said.

Before going into private practice, Plotkin worked for the Securities Exchange Commission as the chief attorney of the New York broker/dealer division. While there, he witnessed first-hand the penalties financial service companies incurred for noncompliance, specifically in regards to handling of e-mails. "Broker/dealers have long been required to retain copies of every e-mail," noting ironically that both those who retained e-mail, and those who did not, got into trouble with the laws.

Citing cases where all e-mails regarding a specific subject matter at a firm were subpoenaed, Plotkin claimed that this might sometimes mean companies would incur the cost of the discovery team having to write custom software to access the documents a company may have archived to older backup tape formats.

Getting back to ILM, Michael Sullivan indicated "If you didn't have a records management practice [to address compliance issues], you're probably already putting one in place."

Consultants on the panel agreed that each industry needs to look at the legislative requirements impacting it. When crafting policies on the types of data to archive versus delete, IT personnel also need to look at the specific needs of their business. In the energy sector, for instance, one attendee indicated their IT group receives discovery requests once every two weeks for back e-mails related to specific legal proceedings.

In the end, Gerr provided a few general requirements for long-term, compliant records, based on a recent compliance study conducted by his firm. He said you should look at your data in the following four ways:

  1. Discovery - Can I retrieve or recover it?
  2. Legibility - Can I read it today and tomorrow?
  3. Authenticity - Can I verify it's the original?
  4. Auditability - Can I provide for third party review?

Related presentation slides and other links to the full session proceedings are available here.


About the moderator: Peter Gerr is the senior research analyst at Enterprise Storage Group in Milford, Mass.

This was first published in September 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.