Confusion reigns over data archiving

NEW YORK - Users, vendors and securities industry officials wrangled last week at the Securities Industry Association Technology Management Conference in New York about ambiguous Securities and Exchange Commission requirements on e-mail archiving and retention.

Storage vendors EMC and Iron Mountain reacted to the recently released SEC 17a-4 Interpretive Ruling by showing off hardware and software that they say complies with the ruling. The original SEC Rule 17a-4 and the new Interpretive Release define how broker-dealers should archive and retain electronic communications, including e-mails and instant messages relating to trades.

"There is a lot of confusion in the securities industry about what has to be retained and for how long," said Mark Lackritz, president of the SIA, in a speech at the show.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

NEW YORK - Users, vendors and securities industry officials wrangled last week at the Securities Industry Association Technology Management Conference in New York about ambiguous Securities and Exchange Commission requirements on e-mail archiving and retention.

Storage vendors EMC and Iron Mountain reacted to the recently released SEC 17a-4 Interpretive Ruling by showing off hardware and software that they say complies with the ruling. The original SEC Rule 17a-4 and the new Interpretive Release define how broker-dealers should archive and retain electronic communications, including e-mails and instant messages relating to trades.

"There is a lot of confusion in the securities industry about what has to be retained and for how long," said Mark Lackritz, president of the SIA, in a speech at the show.

After years of clamoring by security organizations to clarify the records management rule, the SEC issued the interpretive release in May. This interpretation clearly dispels the issues around the deployment of storage hardware and software for e-mail retention, the SEC says.

The interpretation says that broker-dealers must preserve records "in a non-rewriteable and non-erasable format." This means that customers can deploy systems that use disk-based storage media and integrated software that prevents the overwriting, erasure or alteration of records. Previous to the interpretation, users understood this to mean that e-mails and instant messages needed to be stored on write-once, read-many storage media - such as, optical platters, CD-ROMs or DVDs.

But neither the SEC nor the non-government self-regulatory organizations (SRO), such as the National Association of Securities Dealers, specify which hardware/software combinations are compliant. That means IT executives are left to determine if their deployment of storage software and hardware are compliant.

"The SRO isn't going to tell the customer what is compliant," says Patrick Gordon, a consultant with Compliant Systems Consulting. "[Customers] are going to have to get their compliance people, legal departments and their IT people together and hash out the rules. It's up to the users to do their own research."

The interpretation is also "the death knell" for systems that use passwords, authentication and approval policies to ensure that e-mails aren't deleted or altered, Gordon says.

"Such systems - which may use software applications to protect electronic records, such as authentication and approval policies, passwords or other extrinsic security controls - do not maintain the records in a manner that is non-rewriteable and non-erasable," the interpretive release says.