Four new products hit the market this week in the compliance space -- and analysts said it's part of a larger trend toward data retention as standard business practice, even in businesses unaffected by specific government or industry regulations.
Storage Technology Corp. (StorageTek) unveiled a consulting partnership with Deloitte Consulting LLP; StorageTek's archiving and data management products will combine with Deloitte's consulting services. Permabit Inc. announced an upgrade to its flagship product, Permeon Compliance Store 2.0. Plasmon announced Ultra Density Optical Compliant Write Once media specifically for compliance use. And IntelliReach Corp. will integrate search engine software with its e-mail archiving product meant to make records retention easier and more attractive for the smaller businesses.
It's not a coincidence, according to Dianne McAdam of the Data Mobility Group. "As far as compliance goes, we've taken care of the big guys. I think we're seeing a move down market with compliance products."
"We're seeing sort of compliance with a small c, where it's not tied to regulations," McAdam said. "More and more, contracts and other important negotiations are being done over e-mail or instant message. These businesses are starting to realize they had better save those electronic documents the way they already do physical documents."
Companies like EMC Corp., IBM and Hewlett-Packard Co. (HP) are adjusting compliance and data retention products for the midrange as well with smaller versions of products, such as EMC's "baby" Centera, HP's RISS system and IBM's DR550, McAdam said..
According to Mark Casey of Contoural Inc., compliance with government regulations by bigger companies has also had a domino effect on the midrange market.
"Even for private companies, if they're thinking about meeting increasing levels of expectation among customers, investors and possible future acquirers, they need to start thinking about SOX certification of their controls and financial reporting," Casey said.
Regulated or not, the threat of litigation, particularly in the U.S., applies to everyone, he added. "If you get into litigation, the odds are pretty high that if there's a smoking gun the other party is going to have it. Deleting all your e-mails isn't going to get rid of it, but it might get rid of context that might help mount a defense against allegations."
Getting started: Set your policies first
So how would a user new to data retention policies start implementing them? Casey suggested that a private company, worried about litigation, should examine its retention policies around physical documents.
Those retention policies are a good model for electronic data retention because they are specific and organized, Casey said, but in other cases not applicable because electronic files are easier to store and move than paper. Rather, the goal here is to create "a complete business record."
Casey said, "A lot of these compliance products are aimed at doing that without breaking the bank -- one copy instead of multiple copies of the same thing, putting the data on less expensive media when the frequency of access goes down without having it cost you millions of dollars."
The international security standard on information technology security, ISO 17799 may help as a jumping off point to forming policies, Casey said..
The most important first step, according to Brian Babineau of the Enterprise Strategy Group, is that companies form a solid policy before planning to purchase technology.
"Get all the constituents that are impacted by data retention in a room," Babineau said. "Do a review -- are you subject to regulations? Are there any internal policies, including those set forth by your board of directors, that affect retention and disposition policies?"
Babineau said, "The biggest mistake folks make is assuming technology equates to compliance and good data retention policy. You need the people, the process and then the technology."