Published: 10 Mar 2007
Most compliance regulations stress that organizations have well-documented processes for storing and retrieving company records. Technology can help, but it's only part of the solution.
Selecting a storage product to improve your organization's compliance is like putting the cart before the horse. Before you evaluate products, you need to understand the business requirements and objectives of managing your data; the types of data your compliance program must address; and the legal, regulatory and business requirements for storing, retrieving and deleting data.
Legal and regulatory compliance requirements are changing electronic data retention and storage rules. New and revised laws dictate how securely certain records must be stored, how long they must be kept and even how quickly they must be retrieved. Your company's in-house legal team or outside counsel will play an important role in crafting a storage compliance policy that will be defensible and workable.
Financial reporting laws: Many laws and regulations require companies to retain financial records and report them to agencies such as tax authorities and securities regulators. The Sarbanes-Oxley Act (SOX) reinforces those requirements with additional controls and stronger penalties for noncompliance. Contrary to some vendor claims, SOX doesn't directly require longer retention of most financial records. However, it does require outside auditors to keep their work papers for seven years, which may require a public company's internal records to meet that standard. These retention requirements can apply to enterprise resource planning (ERP) database records; scanned documents such as invoices and contracts; spreadsheets and document files in file shares or document management systems; and even relevant email messages if they haven't been captured in some other form. Some of these records may also be subject to different retention periods set by additional laws or internal policies.
|New rules for legal discovery|
Recent changes to the Federal Rules of Civil Procedure (FRCP), which became effective in December 2006, establish new standards that extend requirements in some areas while potentially reducing risks and costs in other respects. The new provisions clarify the rules for discovery and disclosure of electronic records in pre-trial court procedures.
The following highlights can serve as a starting point for discussions with your company's in-house counsel or legal advisors regarding the implications of these rules.
Overall, it's clear that these new rules raise the bar for information and storage management. To meet these obligations, and to avoid inadvertent omissions or inappropriate disclosures, companies need to know what they have, where it's kept and how readily it can be retrieved.
Industry-specific regulations: Aside from broadly applicable laws that regulate records kept by functions such as finance and human relations, companies must comply with industry-specific regulations and standards. Record-keeping rules for highly regulated industries, such as banks and pharmaceutical firms, are well-defined and relatively slow to change. However, regulators and industry organizations are still adapting traditional paper-based rules to cover the risks of emerging technologies in electronic communications and storage.
Privacy laws: Emerging privacy laws may require you to increase data protection and information security. Privacy laws include HIPAA privacy and security rules in the U.S., along with various state and federal laws protecting the privacy of consumer information. Privacy laws in Europe are generally stronger than those in the U.S., and you should anticipate U.S. laws to evolve in the same direction. For example, you may ultimately need to locate all the information you've collected on any individual and report all disclosures of that information.
International requirements: If your company has operations and data storage in many countries, your centralized business applications and storage infrastructure may need to support different retention periods for the same record types. For example, financial records that must be retained for seven years in the U.S. may need a 10-year retention in Germany and a 15-year retention in China.
Litigation discovery: For many companies, the risks and costs of litigation discovery are more significant than regulatory compliance requirements, and may prove to be a greater motivation for improving the management of electronic records. Recent changes to the Federal Rules of Civil Procedure (FRCP) set new standards for protecting and producing certain types of company records. Going forward, you need to know--or be able to quickly discover--what information you have, where it's kept and how readily it can be retrieved (see "New rules for legal discovery," this page).
Laws and regulations generally specify the content of the records a company must create and retain, but not the form in which the records are organized or the media on which they're stored. However, the organization and location of the data can make a big difference when you're defining your compliance program and selecting appropriate technologies for implementation.
|Business drivers for data management|
A key question that needs to be addressed is the appropriate scope of your compliance program and the types of records that will be addressed first. Does it include management of email, instant messages, voice mail, office documents, scanned document images and databases? What about paper records? Which areas represent the most immediate sources of compliance or litigation risk/cost? Which ones represent important opportunities for improved efficiencies and cost reductions?
The "Business drivers for data management" matrix on this page illustrates how many companies see semistructured data--particularly email and instant messages--as the most immediate pain point to be addressed to reduce the risk of noncompliance or the cost of litigation discovery. Structured data--including ERP databases and other enterprise applications --is often thought to be adequately controlled and compliant, although longer retention periods and increased regulatory scrutiny have many firms considering alternative ways to preserve and manage those records over the full information life cycle. Finally, unstructured data--such as office documents stored on network file shares--has typically been viewed primarily as a giant storage cost problem. However, many companies are now beginning to address these files in terms of their compliance and litigation strategy requirements, and storage professionals can make a big contribution in this area.
Given the broad range of data types a compliance program must ultimately address, it probably doesn't make sense to seek a single integrated solution for all of these data types. Most companies choose to start with the most pressing pain points and tackle problems one step at a time.
For example, many enterprises, particularly those in industries such as banking and securities trading, have implemented email archiving applications to ensure compliance with regulations or to provide appropriate retention of email records as part of a litigation-readiness strategy (see "Tools for managing legal holds and e-discovery," PDF file below). As attention turns to the contents of file systems, and as vendors introduce capabilities to handle multiple data types, it may make sense to expand an existing solution or include a complementary product to address other data types.
|Tools for managing legal holds and e-discovery|
|Click here for an overview on the tools for managing legal holds and e-discovery (PDF).|
The key to success is to first develop an understanding of the important business drivers, including compliance and litigation readiness, in addition to service levels, productivity and cost control. Once you've developed a consensus on the business requirements, you can define technical requirements and architect appropriate solutions.
|Compliance requirements and litigation-readiness strategies, along with operational business needs, should be reflected in up-to-date policies and procedures for records retention and destruction. A corporate records-retention schedule (RRS) is an essential tool for defining what records--on paper or in electronic form--you need to keep and for how long. A properly maintained RRS can establish requirements for electronic records storage and management. It can also identify the records that shouldn't be kept, as well as those eligible for deletion to reduce storage and management costs. It's important to set up processes for obtaining agreement from data owners and legal staff to determine which expired records can be deleted.|
Storage technologies for compliance
How do you figure out what technology solutions are needed to meet compliance requirements and other business needs around records management? Many compliance requirements can and should be addressed at the application layer, not the storage layer. These include email archiving, file-system archiving, content and records management, litigation support tools and case management platforms. The overall compliance program should address all of these components. But storage management tools can also address specific compliance requirements, particularly for unstructured data, the files stored on network file servers (see "Records retention," this page).
Document-authoring applications provide functionality for creating and editing memos, spreadsheets and presentations. They provide very little built-in functionality for version control, document retention and lifecycle management. Content management systems can manage some of these file types, but are typically cost-effective only for documents within structured business processes with defined workflows and extensive user education. Most organizations find that unstructured document files represent a large and rapidly growing area of cost and risk. Content-addressed storage (CAS) systems and data classification tools can help reduce costs and risks.
CAS systems: These systems help with unstructured data files by eliminating duplicate copies and providing a single-instance store of unique files. They can manage retention periods in accordance with defined policies, and their search tools find files that have been placed in the repository by a variety of applications. They can also ensure that expired files within the CAS repository are deleted, using techniques such as "digital shredding" of encrypted files by erasing the encryption keys. Does this mean that unless all of your unstructured data is kept on CAS systems you'll fail your compliance audits and be slapped with fines or hauled off to jail? Of course not. CAS is one tool among many. When appropriate, it may be used alone or combined with application-layer capabilities such as archiving or content management software. But you should take care to classify your data before sending it to a CAS system. Once the files are classified, you can eliminate those that don't need to be retained and set appropriate retention periods for those to be kept.
Data classification tools: These tools identify files that represent compliance and legal risks in terms of privacy laws (personal data contained in files). With proper data classification, you may also be able to greatly reduce the number of files to be retained and managed--or searched, reviewed and produced under legal discovery orders. Some data classification tools can classify already-stored files based on content. Other tools classify files or messages before they're moved to a specific repository such as an email archive. And some tools perform both functions for specific data types or sources.
Other storage technologies: Encryption software may be appropriate for some classes of data, or for data stored on removable media or portable systems. Many companies are considering encrypting backup tapes before transporting them offsite to avoid costly and damaging breaches of privacy laws. Other organizations are eliminating physical transportation of backup tapes and adopting disk-to-disk backup over secure networks as an alternative approach to data protection and recovery.
There's no single technology solution that meets all compliance requirements. The first step is to define your unique requirements, including compliance and litigation-readiness needs, as well as business productivity and service-level objectives. To determine compliance requirements, look beyond the vendor hype and work with your legal, compliance and records management teams to define the necessary processes.