Challenged by compliance

Regulatory witch hunts Marked by ambiguity Spending forecast Struggle synopsis

It's compliance time, and that means enterprise IT executives should know where and on what type of media corporate data is stored, and how long it needs to be retained. But by all indications, most everyone still is struggling with how to get in line with the new regulations governing business practices.

"In general, IT and business professionals across a variety of industries still don't even know how to begin discussing compliance as a business issue," says Pete Gerr, a research analyst with Enterprise Storage Group. "Is it the CIO's problem? Is it the [vice president] of IT's problem? Is it a storage problem? Compliance touches all of these groups and more, so it requires knocking down the communications barriers that normally exist between IT and the rest of the business."

Companies know they can't take compliance issues lightly. They can incur steep fines for failing to comply, and IT and other corporate executives can face jail time over non-compliance.

"Practically every IT executive gets hit by this somehow," says Johna Till Johnson, president of Nemertes Research and a Network World columnist. "If someone touches [data] he shouldn't have, IT executives could be sent to jail. People are starting to slowly realize that they are personally exposed."

Regulatory witch hunts

The stakes certainly are high and the threat very real, Gerr agrees. "Regulatory bodies in certain industries like financial services, and increasingly healthcare and pharmaceuticals, are on a compliance witch hunt," he says. "They've got the companies that must comply with these regulations on the defensive." (The Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, which govern financial services and healthcare, are the most notable of the compliance regulations, but dozens of others affect a variety of industries.)

A sense of urgency pervades an e-mail compliance project underway at The Mony Group, says Brian Hust, IT project manager at the New York financial services firm. Mony typically had stored e-mails on optical disks for 60 days. But the Securities and Exchange Commission (SEC) mandates that e-mails be stored on write-once read-many (WORM) media and retained for three years. So Mony now is analyzing e-mails and converting them to a new WORM storage system from EMC  at a cost of about $400,000.

"We've seen the headlines about companies in our industry receiving significant fines for not retaining e-mail," Hust says. "We're going to look for solutions to avoid that."

Keeping in line with the law won't be easy, even for the most diligent. The problem is that requirements keep changing.

Enterprise Storage Group estimates businesses will spend more than $6 billion on hardware, software, and services related to storage compliance over the next four years. The storage capacity needed to keep compliant records will increase dramatically , the firm says.

Gerr cites a three-month Enterprise Storage Group study of four industries and the regulations that affected each: "We read the regulations, spoke with the individuals and groups that drafted and enforce the regulations, and spoke to end users that are being called to comply. The most persistent conclusion we draw from our research into these regulations is that they are in constant flux and that we are simply witnessing the tip of the iceberg with respect to the impact compliance will make."