New storage rules may complicate records management

Experts say new bills before Congress and court decisions may further complicate things for U.S. companies already grappling with records retention, compliance and data archiving.

Records retention has been heating up in storage lately as new laws and new tools hit the market, from the US Federal Rules of Civil Procedure (FRCP) to a new crop of Software as a Service email storage and data archiving players. However, some experts think this may still be the calm before the storm when it comes to compliance requirements.

According to Brian Babineau, analyst with the Enterprise Strategy Group (ESG), his firm is currently focused on two bills that have been registered in the U.S. House of Representatives and are waiting for debate, known respectively as H.R. 4127 and H.R. 3997.

More on records management
Unorthodox ISPs jump on storage SaaS trend

Google buy shakes up email archiving

U.K. enterprise search provider buys Zantaz

Mimosa scales up email archiving software
The two bills were originally introduced to the 109th Congress in an effort to federalize data breach laws already passed by several states, the most famous of which is California's SB 1386, which requires companies that suffer a data breach to notify all California-based customers that their data is at risk. Other states, including New York, have followed suit, but there is not a federal standard for security breaches, yet.

Now tagging along with these laws are even more new provisions for individual data privacy that some in the industry believe could be a step toward the European Union's (EU) standards for data archiving. Currently, the closest regulation the U.S. has to an EU-style data archiving and privacy law is the Health Insurance Portability and Accountability Act (HIPAA), which dictates retention periods and privacy standards for healthcare organizations. That type of multidimensional data management could also be coming to other types of data archives if either of the two data security bills passes.

In particular, H.R. 4127, which is the most popular with consumer advocacy groups, gives consumers the right to see and dispute or correct the contents of data broker files annually.

It's an issue that companies have already begun to wrangle with overseas, according to Dave Hunt, CEO of C2C Systems Ltd., a British company that makes email archiving software. European laws require each end user to "opt in" to email archiving, and users can demand that certain items be deleted from company archives. According to Hunt, one customer of C2C's software in the U.K. recently had to completely shut down its data archiving scheme while it figured out how to securely delete messages from a balky end user.

"I believe that similar laws are coming to the U.S.," Hunt said, citing HIPAA as an example. "More and more American companies are going to have to worry about these things and many already are if they have a global business."

In response, C2C has shunned single instancing for messages in its archive. "Under these kinds of regulations, you might want to be able to delete messages from certain users' archives only, or delete them from end-user search, but not from the archive itself," Hunt said. With the newest version of its product announced this week, C2C has also added a laptop client that archives an individual user's Outlook mailbox while it's running in cache mode, allowing archived messages to be accessed online and allowing the user to keep track of what content has been archived on his behalf.

"There are going to be different levels of interpretation of these new laws and how records are retained, as well as who has the rights to information," Hunt said. "Archiving applications will expand down to the individual level and will become more configurable by the end user."

"The question of who has access to archives is something people [in the U.S.] are definitely going to have to think about," Babineau agreed.

Because, he added, if it's not H.R. 4127, it'll be something else. Currently, the majority of legal precedent necessary to flesh out the new FRCP has yet to be set in court, but one possible "train wreck" has already surfaced in the case of Berkeley Premium Nutraceuticals Inc., in which a federal appeals court ruled in June that users of ISP-based email, such as Yahoo Mail or Google's Gmail, have an expectation of privacy, and therefore their emails are not discoverable.

"This is another train wreck we're looking at in this country, if that becomes a hard and fast precedent," Babineau said. "What happens if a company is using corporate Gmail? What happens if personal emails are forwarded through a corporate account? The lines are going to get blurred real fast."

So at what point is every IT administrator going to also need a legal degree? "I don't think we'll see things get to that level," Babineau said, but he added that every organization will probably need someone within its ranks who can act as a "translator" between the legal department and IT. "You need a moderator, someone in the middle who can make sure the attorneys and IT are all on the same page when it comes to data management."

Read more on IT risk management