Records retention has been heating up in storage lately as new
laws and new tools hit the market, from the US Federal Rules of
Civil Procedure (FRCP) to a new crop of
Software as a Service email storage and
data archiving players. However, some experts think this may
still be the calm before the storm when it comes to compliance
requirements.
According to Brian Babineau, analyst with the Enterprise
Strategy Group (ESG), his firm is currently focused on two bills
that have been registered in the U.S. House of Representatives and
are waiting for debate, known respectively as H.R. 4127 and H.R.
3997.
The two bills were originally introduced to the 109th Congress in
an effort to federalize data breach laws already passed by several
states, the most famous of which is California's SB 1386, which
requires companies that suffer a data breach to notify all
California-based customers that their data is at risk. Other
states, including New York, have followed suit, but there is not a
federal standard for security breaches, yet.
Now tagging along with these laws are even more new provisions
for individual data privacy that some in the industry believe could
be a step toward the European Union's (EU) standards for data
archiving. Currently, the closest regulation the U.S. has to an
EU-style data archiving and privacy law is the Health Insurance
Portability and Accountability Act (HIPAA), which dictates
retention periods and privacy standards for healthcare
organizations. That type of multidimensional data management could
also be coming to other types of data archives if either of the two
data security bills passes.
In particular, H.R. 4127, which is the most popular with
consumer advocacy groups, gives consumers the right to see and
dispute or correct the contents of data broker files annually.
It's an issue that companies have already begun to wrangle with
overseas, according to Dave Hunt, CEO of C2C Systems Ltd., a
British company that makes email archiving software. European laws
require each end user to "opt in" to email archiving, and users can
demand that certain items be deleted from company archives.
According to Hunt, one customer of C2C's software in the U.K.
recently had to completely shut down its data archiving scheme
while it figured out how to securely delete messages from a balky
end user.
"I believe that similar laws are coming to the U.S.," Hunt said,
citing HIPAA as an example. "More and more American companies are
going to have to worry about these things and many already are if
they have a global business."
In response, C2C has shunned single instancing for messages in
its archive. "Under these kinds of regulations, you might want to
be able to delete messages from certain users' archives only, or
delete them from end-user search, but not from the archive itself,"
Hunt said. With the newest version of its product announced this
week, C2C has also added a laptop client that archives an
individual user's Outlook mailbox while it's running in cache mode,
allowing archived messages to be accessed online and allowing the
user to keep track of what content has been archived on his
behalf.
"There are going to be different levels of interpretation of
these new laws and how records are retained, as well as who has the
rights to information," Hunt said. "Archiving applications will
expand down to the individual level and will become more
configurable by the end user."
"The question of who has access to archives is something people
[in the U.S.] are definitely going to have to think about,"
Babineau agreed.
Because, he added, if it's not H.R. 4127, it'll be something
else. Currently, the majority of legal precedent necessary to flesh
out the new FRCP has yet to be set in court, but one possible
"train wreck" has already surfaced in the case of Berkeley Premium
Nutraceuticals Inc., in which a federal appeals court ruled in June
that users of ISP-based email, such as Yahoo Mail or Google's
Gmail, have an expectation of privacy, and therefore their emails
are not discoverable.
"This is another train wreck we're looking at in this country,
if that becomes a hard and fast precedent," Babineau said. "What
happens if a company is using corporate Gmail? What happens if
personal emails are forwarded through a corporate account? The
lines are going to get blurred real fast."
So at what point is every IT administrator going to also need a
legal degree? "I don't think we'll see things get to that level,"
Babineau said, but he added that every organization will probably
need someone within its ranks who can act as a "translator" between
the legal department and IT. "You need a moderator, someone in the
middle who can make sure the attorneys and IT are all on the same
page when it comes to data management."