The Seattle-based company facilitates trades between securities dealers and banks. Having watched several large Wall Street financial firms get hit with huge fines for failing to comply with regulations on data protection, the company decided to err on the side of caution.
"Pretty much anything that hits our e-mail server gets archived, even spam, which has its own folder," says Richard G. Smith, director of information technology. "Capture everything and sort later is our paradigm -- as you can imagine, it's not the most cost-effective solution."
Be safe rather than sorry. That seems to be the thinking of many storage administrators as they assume greater responsibility for helping their companies comply with a morass of new federal and state regulations.
"Whether you, as a CIO [chief information officer], are anointed to deal with compliance, or whether you volunteer to do it, either way you darn well better be meeting with the CFO [chief financial officer] and chief legal counsel to determine a data storage, protection and retention strategy," says Ed Broderick, a storage analyst with Robert Frances Group in Westport, Conn.
"And you better have a tiered storage structure such that you know which data needs to be maintained for how long and for what reason, to comply with (specific) regulations," Broderick says.
"They're looking at things like the ability to guarantee something is an original copy," says Ed Tolson, a storage analyst with Los Gatos, Calif.-based Contoural Inc. "They've got to be able to guarantee that [a document] is the original, they've got to save it, and they have to have a lifecycle on the data. As a result, systems for records management and electronic content are getting more looks these days," he says.
Enterprise Strategy Group in Milford, Mass., forecasts the market for compliance-related storage products could reach $6 billion during the next several years.
Coping with Sarbanes-Oxley
Probably the most onerous regulation is the Sarbanes-Oxley Act of 2002, or SOX for short. Public companies are subject to its strict guidelines for corporate governance and financial accounting. Even private companies that do businesses with public companies may have to comply with certain provisions regarding data protection and privacy.
"Lots and lots of companies are going through SOX audits to see where they are. That's probably forcing a closer relationship between storage and IT folks, and corporate legal departments, whereas they really didn't have a whole lot to do with each other before," Tolson says.
Compliance and storage are converging at Universal Corp., a Richmond, Va.-based tobacco leaf merchant with more than 50 worldwide subsidiaries. The Fortune 500 firm must maintain controls on about 280 significant accounts, nearly 260 key business processes and another 500 or so subprocesses that fall under the purview of the new law. Nearly 40,000 hours of planning and "thousands and thousands of dollars" were spent to ensure that Universal's overseas and domestic operations follow the same reporting guidelines.
"We have little standardization in our company but we [are required] to document all these various processes," says Hartwell Roper, Universal's CFO. "To some degree, this law puts bureaucracy into our company that we really don't want."
Although not yet widespread, use of storage virtualization should soar as companies strive to comply with SOX, Tolson says. He notes that a surprising number of corporations continue to rely on storing paper documents, which can be a nightmare if government litigators come calling.
"It just so happens that the data SOX targets -- audit documents, financial and tax records -- tend to be, in many cases, maintained on paper rather than electronically," Tolson says. "Obviously, that's going to change over the next couple years as storage becomes more of a strategic compliance asset for companies."
Getting a handle on HIPAA
Companies in the health care industry continue to grapple with compliance-related storage stemming from the Health Insurance Portability and Accountability Act, or HIPAA. It was created to help people, who lose or change jobs, keep their health care coverage with strong privacy measures applied in the transfer of their data.
HIPAA spells out administrative, physical and technical safeguards for protecting health care data. Hospitals, insurers and other health care organizations are targeted, although the law also applies to technology companies that manage patient information on their behalf.
Even so, HIPAA is old news to most storage administrators, says John Webster, senior analyst and founder of Data Mobility Group in Nashua, N.H. Of greater concern is stepped-up enforcement of private-industry regulations, such as those established by the Joint Commission for Accreditation of Healthcare Organizations (JCAHO), which certifies hospitals.
"Federal regulations are only as good as the enforcement behind them. At the same time, if you're a hospital administrator faced with loss of accreditation, you're going to be much more concerned about compliance with JCAHO (than HIPAA)," Webster says.
More new rules on the way?
Even so, government regulations continue to emerge. California lawmakers passed a series of new laws to improve data security. Most notable is the California Security Breach Notification Act (SB 1386), obligating companies to make public notification when any two identifying pieces of customer data potentially are compromised. The law applies to unencrypted data stored by companies, agencies and other organizations that have customers in California, or that could be sued in California.
Lawmakers in other states, including Illinois and Minnesota, are pondering similar measures, while Congress has discussed passing legislation at the federal level. IT organizations should expect to see future regulations centering more on data security.
As a result, storage directors find themselves in a stronger position to persuade upper management about potential exposures and craft intelligent solutions, Broderick says.
"This all starts with the storage administrator and the end users figuring out who is responsible for the care of the data. Storage administrators don't make the rules for the data, but they are the enforcers of rules that are jointly negotiated with the end user."
Click here to access our library of Strategic Storage columns.
About the author: Garry Kranz is a freelance business and technology writer based in Richmond, Va.