Storing by the rules

Complying with regulations governing data storage and retrieval could put you on the hot seat. Here’s how to stay cool.

The Department of Health and Human Services, Federal Reserve Board, Food and Drug Administration, Internal Revenue Service, Joint Commissions on Accreditation of Healthcare Organizations, National Association of Securities Dealers, Securities and Exchange Commission . . .

The list goes on of regulatory agencies with laws affecting nearly every bit of information stored on corporate networks. Although many of the regulations have been in place for years, such as the SEC’s Rule 17a-3 and 4, enforcement of some is only now being taken seriously. The SEC has shaken corporate executives out of their complacency in its dealings with Enron, WorldCom and others under the government agency’s scrutiny for financial malfeasance, imposing fines on brokerages for not keeping e-mail messages, for example.

The Sarbanes-Oxley Act of 2002, too, has been a wake-up call. Pushed through Congress and signed into law in response to last year’s billion-dollar accounting scandals and bankruptcies, the act requires that managers vouch for the internal controls their companies place over areas that include transactions, electronic information and communications. Sarbanes-Oxley will become an SEC rule.

Clearly, protecting paper records is not enough. All data – paper, film-based and electronic – needs to be stored, protected and readily available should a government agency request it. Even everyday tax laws effect data storage, notes Tom Hughes, senior adviser for strategic planning at The George Washington University, in Washington, D.C.

“We store our financial records as images on [write-once, read many] drives,” Hughes says. “Once the image is burned on the WORM disk, it is there forever. That’s one of the requirements of a proposed IRS regulation.”

Preventing a storage crisis while complying with federal healthcare regulations requires much thought, but some guesswork too, says Mark Moroses, senior director of technical services and security officer at Maimonides Medical Center.

Hughes and other IT executives are in the hot seat. They need to provide the storage tools and systems that will let their companies archive and protect records in conformance with rules and regulations. It’s not a good place to be, industry watchers say.

“There is a lot of misunderstanding and ambiguity in the regulations as to how to implement storage systems,” says Peter Gerr, an analyst at Enterprise Storage Group.

The regulations rarely spell out specific implementations or give any guidance other than the number of years data must be kept. IT managers are left figuring out how to meet mandates for electronic records, and to work with vendors who may have a limited understanding of the rules.

Rules for financial firms

Perhaps the most detailed rule for electronic records archiving is SEC Rule 17a-3 and 4, part of the Securities Exchange Act of 1934, revised in 1998 and then again in September 2002. Rule 17a-3 and 4 says brokerages, dealers and transfer agents must preserve electronic data generated from the time of the 1998 revision on nonrewritable, nonerasable media (WORM drives) for a period of not less than six years. Companies must keep logs of when the data is accessed and modified. These logs must show that the data, including that contained in e-mail and instant messages, has not been altered or deleted. Data relating to a particular transaction must be capable of being retrieved quickly for a period of two years from whatever media it is stored on, so a complete record of the transaction can be readily available should the SEC ask for it.

Companies didn’t immediately implement compliant systems, mostly because of a lack of software that allowed compliance.

“When the [SEC] rule came out, those of us in the industry threw up our hands in exasperation. We had no technological source to turn to other than internally conceived ways to review, capture and preserve e-mails,” says Ravi Jethmal, vice president of compliance for Abel/Noser, a New York brokerage.

Admitting his own frustration, Jethmal says, “I had a very hard time finding solutions. A Pandora’s box opened up – three different types of vendors came running at me with their various products, two of which didn’t work.”

Subject to interpretation

Jethmal says he reviewed the SEC regulations and evaluated software and hardware aimed at solving his e-mail archiving problem before choosing Legato System’s EmailXtender and EmailXaminer software. Should Abel/Noser be faced with an SEC audit, Jethmal says this software would let him retrieve electronic documents and e-mails involved with any trading transaction by entering an account number. The software keeps an ongoing log showing when data is accessed, by whom, and what is done to it.

While Rule 17a-3 and 4 is clear on some points, such as use of nonrewritable, nonerasable media for e-mail archiving, it is far less precise on other aspects, Jethmal says. “Don’t ask me what the term ‘readily available’ means – it’s an SEC term you’d have to go to Washington to get a definition of,” he quips.

Jethmal has interpreted “readily available” to mean having two years worth of data online and immediately retrievable. He stores messaging data on optical disks that can neither be erased nor altered.

Jeff Polsgrove, CIO for Scottrade, a financial firm in St. Louis, is experiencing the same frustration with the financial rules. Regulations require an IT system that can store years of historical financial data.

“Because of the volume of data we manage, I have to load up a bunch of tapes to find a file and start manually searching,” Polsgrove says. “Maintaining deep archives [of information] means I keep tape after tape of records. If the tapes are sent off-site as companies normally do, we need to get them back before we can find a record.” Manually reconstructing a transaction from tape and paper-based records could take days, Polsgrove says.

Polsgrove has settled on EMC’s Centera storage system. Individual records are linked by searchable metadata and stored on inexpensive disks (local ATA drives). Centera, combined with document and records-archiving software, builds indexes for each transaction so they can be easily retrieved, thus satisfying SEC and NASD rules regarding data retention. Polsgrove ensures integrity by backing up the data to tape and replicating it off-site.

Scratchy medical prescriptions

When it comes to regulating medical data, rules are even sketchier than they are for financial firms, says Mark Moroses, senior director of technical services and security officer for Maimonides Medical Center in Brooklyn, N.Y.

Moroses points to HHS’ Health Insurance Portability and Accountability Act (HIPAA), a set of federal transaction and data protection regulations for healthcare providers, plans and clearinghouses, as an example. “There is a disaster recovery piece to HIPAA,” he says. “Of course, there are no specific guidelines on how they want you to accomplish it, but they say you do have to have a disaster-recovery plan in place that they can come in and look at if they want.”

For HIPAA, Maimonides must keep pediatric records for up to 21 years and adult patient records for seven years.

“The biggest thing [in HIPAA] is the impact of the audit trails,” Moroses adds, explaining that audit trails, created by archival software to show transaction history, often take up as much space on disk as the data itself. “That really is a huge impact on your storage. I need to know what transactions are occurring on a daily basis, who is accessing the network, how they are using it, and I need to keep the [audit logs] for a long period of time.”

Moroses has turned to DataCore Software’s SANsymphony software, which combines storage resources from distributed disk drives into a manageable pool. The pool contains data from a mainframe server, five Unix servers, and 135 Windows and NetWare servers located across seven campuses and 40 outlying facilities.

“Add the paper medical records kept off-site, and it becomes a real burden,” Moroses says. “Once you get to that standpoint or are forced into it by HIPAA, you are looking at high-availability storage-area networks and HIPAA-compliant electronic medical records with the necessary audit trail built into them.”

Keeping tabs on employees

State regulations can be killers, too.

At North Carolina State University, IT managers are grappling with stringent human resources regulations, says Henry Vail, systems architect at the Raleigh university.

For instance, NCSU must electronically archive employee records for 30 years after employment ends. “Some records are quite extensive – the paper files are at least two inches thick per employee,” Vail says, noting that he is looking at StorageTek’s VolSafe for secure data storage and chose Documen-tum’s Document Asset Management software to build an audit log, which makes the records easier to retrieve.

Documentum, EMC, Legato and StorageTek are among a handful of vendors talking compliance.

Enterprise Storage Group’s Gerr summarizes the difficulty IT managers face in following data storage laws these days. “If I was an IT manager, I would feel totally lost right now because there are few vendors talking about compliance. It’s really the Wild West.”