Iron Mountain CEO defends firm's security efforts

Iron Mountain CEO Richard Reese, whose company manages more than 11 petabytes of data for corporate clients, says his biggest challenge is helping customers merge physical and data storage environments. In a recent interview with Computerworld at Iron Mountain's headquarters in Boston, Reese addressed what he called inaccurate reports that the company has lost client tapes from its trucks and facilities, the effect of regulatory compliance on retention practices, and the progress of Iron Mountain's fledgling Digital Business Unit.

Have reports that Iron Mountain loses tapes stored for customers been mostly accurate?

We're so big people in the press just assume we lose tapes. Most of the reported incidents that our name has been associated with we didn't do. Anytime you stop and open the door you have the possibility of an error. People can make mistakes, and they do. When you move so much, you never want to see a single event and that's what I'm striving for but we'll never get there.

Has Iron Mountain had to overcompensate to prevent future data losses and human error?

You have to. We didn't sit back. As soon as we came to understand how our customers were beginning to look at these problems we've been running hard ever since. A big part of what we've been trying to do is educate customers. Half the problem has been customers, it's their legal departments who don't understand the technology processes for archival and storage. And the business people don't understand how legal rules and responsibilities have changed.

Have customers become more careful about how they transport tapes?

In the information transport business, the world used to be a fairly loosely based chain of custody. Companies had multiple copies of backup tapes -- one off-site for disaster recovery and a couple on site for quick recovery. If they lost one, it didn't matter because they had the original data. So they would transport data in common carriers and airlines. But with data privacy concerns and new laws, what used to be a misplaced tape is now a data privacy disclosure event. Now customers have to track every item everywhere.

Would encrypting all transported data ensure its security?

We tell customers that if you are looking for perfection, encryption is the only way to get there -- but not all data needs perfection. Encryption causes throughput and speed issues and affects backup windows. It requires adjusting your processes to move large amounts of data.

Iron Mountain acquired Connected in late 2004 to form a new Digital Business Unit offering e-records management, data protection and storage services. Has it met your expectations?

Shareholders ask me 'when is this digital thing going to pay?' The digital business has done well. It's turned all the financial metrics' corners and starting to show some product lines. Others still have a ways to go. So we're pleased about the digital business, but the funny thing about it is the [common] question, 'when's it going to be a significant part of Iron Mountain?' The answer is: we've got to kill paper for that to happen.

How do changing laws and regulations affect corporate data retention policies?

The more information you have and the more valuable it is, the more it's regulated, the more it's litigated and the more it can be used against you. It's just that simple. People go where the value is and they try to control that. That's a very tough problem to solve.

Should companies destroy or keep all their data to avoid problems under new e-discovery requirements?

The strategy of just aggressively getting rid of data absent of policy is going to be a loser and it's going to cost you. But the strategy of keeping it all -- and managing and discovering all your data -- is going to kill you as well. The right strategy is to put in process, procedures and technologies to destroy information as part of policy. For those companies saying "I'll get rid of it; I'll take my chances," all their doing is making an informal risk assessment of the probability that if I'm ever called on the mat, that cost will be less than all the issues and cost I'll have of keeping it.