Challenged by compliance

Most IT executives still haven’t figured out how they’re going to get data storage and access in line with the law.

It’s compliance time, and that means enterprise IT executives should know where and on what type of media corporate data is stored, and how long it needs to be retained. But by all indications, most everyone still is struggling with how to get in line with the new regulations governing business practices.

“In general, IT and business professionals across a variety of industries still don’t even know how to begin discussing compliance as a business issue,” says Pete Gerr, a research analyst with Enterprise Storage Group. “Is it the CIO’s problem? Is it the [vice president] of IT’s problem? Is it a storage problem? Compliance touches all of these groups and more, so it requires knocking down the communications barriers that normally exist between IT and the rest of the business.”

Companies know they can’t take compliance issues lightly. They can incur steep fines for failing to comply, and IT and other corporate executives can face jail time over non-compliance.

“Practically every IT executive gets hit by this somehow,” says Johna Till Johnson, president of Nemertes Research and a Network World columnist. “If someone touches [data] he shouldn’t have, IT executives could be sent to jail. People are starting to slowly realize that they are personally exposed.”

Regulatory witch hunts

The stakes certainly are high and the threat very real, Gerr agrees. “Regulatory bodies in certain industries like financial services, and increasingly healthcare and pharmaceuticals, are on a compliance witch hunt,” he says. “They’ve got the companies that must comply with these regulations on the defensive.” (The Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, which govern financial services and healthcare, are the most notable of the compliance regulations, but dozens of others affect a variety of industries.)

A sense of urgency pervades an e-mail compliance project underway at The Mony Group, says Brian Hust, IT project manager at the New York financial services firm. Mony typically had stored e-mails on optical disks for 60 days. But the Securities and Exchange Commission (SEC) mandates that e-mails be stored on write-once read-many (WORM) media and retained for three years. So Mony now is analyzing e-mails and converting them to a new WORM storage system from EMC  at a cost of about $400,000.

“We’ve seen the headlines about companies in our industry receiving significant fines for not retaining e-mail,” Hust says. “We’re going to look for solutions to avoid that.”

Keeping in line with the law won’t be easy, even for the most diligent. The problem is that requirements keep changing.

Gerr cites a three-month Enterprise Storage Group study of four industries and the regulations that affected each: “We read the regulations, spoke with the individuals and groups that drafted and enforce the regulations, and spoke to end users that are being called to comply. The most persistent conclusion we draw from our research into these regulations is that they are in constant flux and that we are simply witnessing the tip of the iceberg with respect to the impact compliance will make.”

Marked by ambiguity

Understanding what’s required to maintain compliance vs. what’s recommended or suggested also presents a challenge, Gerr says. “The regulations are notoriously vague and ambiguous as to how to achieve compliance, [and] what technologies or media types are acceptable,” he says. “The majority of the regulations as written today don’t have a testing or certification program for compliant solutions, so it’s very difficult for the end users to even know when they’re exposed.”

Throwing hardware at the problem isn’t an answer, says Sheila Childs, chairman of the Storage Networking Industry Association, a group representing storage vendors and users. “Companies must have some understanding of the regulations. They need to look at things like how to preserve the accuracy of records, to ensure that records are in a format that can’t be modified. Then they can make decisions about what kind of technologies to deploy,” she says.

Mony, which must comply with Sarbanes-Oxley and the SEC regulations, is handling compliance in stages, says Jay Cohen, chief corporate compliance officer at the firm. First comes the supervision and retention of e-mail from thousands of employees and associates. Analysis of other electronic files will follow. Cohen, who’s working with IT to determine storage and other needs for compliance, says he doesn’t know how long overall compliance efforts will last.

“You have to figure out what in your electronic records is a business record or a legal record that might have content that has to be retained,” Cohen says. “That’s a big, big challenge.”

And one that will persist for years, Gerr says.

Violino is a freelance writer covering business and technology. He can be reached at bviolino@optonline.net .