The thicket of federal, state, and industry-specific regulations is enormously complex. Most organizations fail to comply with some rules, often due to policy conflicts. The best way for companies to navigate the maze and avoid penalties is to show a "best effort" -- a serious, honest attempt to ensure that records are properly and securely archived in accordance with the best possible understanding of regulations.
For IT, compliance begins with determining the systems and processes necessary to archive the entire gamut of pertinent data -- including email, IMs, files from office suites, scans of documents, photos, faxes, audio files, videos, log files, and more.
[ Get the full scoop on complying efficiently with archive requirements in the InfoWorld "Archiving Deep Dive" PDF special report. | Better manage your company's information overload with our Enterprise Data Explosion newsletter. ]
These efforts go beyond merely storing information. Data must be archived securely, in an auditable framework, and managed over its lifetime, which can range from a few months to 20 years or more, depending on the type of data and the regulations that apply. Then it must be deleted securely when no longer required.
The liability of lax compliance can be enormous. No company wants to lose a lawsuit because it was unable to respond to legal discovery requirements or face enormous fines because it failed to observe records-keeping or security rules. Both management and IT need to be aware of the archiving requirements for their industry. And IT needs an end-to-end strategy to meet the archiving challenge.
Key compliance regulations and what they mandate Compliance isn't easy. In some instances, regulatory requirements for archiving overlap or even conflict with each other. For example, one regulation may require that patient records be archived for seven years and then securely disposed of, while another may require that records be held for the lifetime of a patient.
No wonder many companies lean toward "saving everything" by default. The Federal Rules of Civil Procedure require that companies maintain and produce on demand not only paper records but any and all electronically stored information during the discovery phase of litigation. Failing to maintain archives of email and other files may result not only in large financial penalties, but also expose IT staff to fines or even jail time.
To minimize risk, management and IT need to collaborate and create a framework that can ensure proper procedures are followed and can adapt as regulations change. Here's a quick review of where several of the most prominent regulations stand today.
Sarbanes-Oxley and other financial regulations The Sarbanes-Oxley Act of 2002 is a federal law enacted in the wake of several major corporate accounting scandals, notably the Enron fiasco. Sarbanes-Oxley sets new or enhanced standards for accounting firms, public companies, and corporate management. The infamous Sarbanes-Oxley Section 802, which pertains to records retention, has the greatest applicability to archiving.
Section 802 requires public companies and their accountants to maintain all audit or review documents, including all electronic records, for five years from the end of the fiscal period in which the audit or review was concluded. Because documents must be readable for the five-year period, it's also essential to ensure that document readers or other applications continue to be supported for the full cycle.
Typically, companies are expected to show documented policies on retention and protection of data as well as destruction at the end of the retention period and audit trails. Companies may also need to defend the quality of their system to show that necessary steps were taken to ensure necessary security, fault tolerance, and controls.
Other financial regulations and organizations that deal with archiving policies include the Financial Industry Regulatory Authority, the Securities and Exchange Commission, and the Gramm-Leach-Bliley Act. Each deals with various parts of a company's financial records, stock trading, banking, and investments, with different requirements for disclosure, records retention, and audits.
HIPAA and health records The Health Insurance Portability and Accountability Act (HIPAA) requires, among many other things, that employee health records (and customer health records, if a company provides health services) be retained securely for a prescribed period and then disposed of securely.
Retention periods vary from two years to seven, depending on state as well as federal requirements and the types of records; for example, records of minors may need to be retained until the minors are 21. HIPAA requires that companies be able to demonstrate that records are secure -- and that they should be capable of determining whether records have been accessed in the event of a data leak.
The new Hitech Act, part of the 2009 economic stimulus package passed by Congress, offers incentives to use electronic health records (EHR) and will eventually reduce Medicare payments to doctors and physicians groups that don't use EHR. This means that in the long term, virtually all health organizations will be handling vast amounts of electronic data and will need to archive and protect that data.
PCI compliance and archiving The Payment Card Industry archiving requirements revolve around security rather than retention periods -- data must be stored securely, in encrypted form. This includes data stored in online databases, data stored on tape or other removable media, as well as data transmitted over the Internet. Database access logs and other records of transactions must be stored separately to enable tracking and auditing of data access.
In addition to requiring encryption and other security measures, some states require notification of data breaches to all potentially affected customers, making it essential to track data breaches and to be able to identify all customer records contained in specific archives, tape backups, or other systems that could be accessed or lost.