SOX, HIPAA in a Nutshell

What do SOX and HIPAA mean to you?

Reduced to their simplest terms, the two big compliance regulations, Sarbanes Oxley (SOX) and The Health Insurance...

Portability and Accountability Act (HIPAA), go something like this: SOX defines which business records a company must store and for how long. HIPAA states who can view stored data as well as when the data must be destroyed.

From a storage perspective, the difference between SOX and HIPAA boils down to ensuring data permanence vs. data privacy, respectively.

In other words, with SOX--as well as SEC 17a-4--a company must prove that its data has not been altered from the time it was stored to the time it was retrieved. Krish Padmanabhan, director of data protection and reference storage solutions at NetApp, puts it more bluntly: "The SEC doesn't give a rat's ass if you leak the information--you just can't modify it."

Peter Gerr, analyst at Enterprise Storage Group, Milford, MA, points to write once, read many (WORM) media as the preferred choice for data permanence because it is inherently unalterable.

HIPAA or Gramm-Leach-Bliley, meanwhile, fall under the data privacy umbrella, where leaking information is the big no-no. Complying with data privacy regulations, says NetApp's Padmanabhan, is threefold: One, provide comprehensive access control; two, provide an audit trail of who has accessed what storage and when; and three, dispose of the data properly once its retention period is up.

The problem with many of the data privacy regulations, according to Padmanabhan, is that "the government doesn't tell you specifically what you need to do." In contrast, data permanence regulations such as SEC 17a-4 "are actually fairly specific," he says.

But according to Gerr, all regulations, whether in the data permanence or the data privacy camp, are challenging because all require a shift in how storage systems are managed. "It's hard to convince storage managers who are still struggling with backup and recovery to also keep an eye on security and retention periods," says Gerr. "That's a discussion that should start higher up in the organization."

--Shane O'Neill

Dig Deeper on Data storage compliance and regulations