Archiving and protecting data to comply with electronic data laws
8 November 2006
Governments worldwide are placing companies under
increasing scrutiny as corporate failures and fraud, from Enron to Shell,
from WorldCom to Nortel, have demonstrated the requirement for legislation
and regulation. Businesses are challenged more than ever before by
electronic data laws and they need to ensure that they are complying with
all of the different legal requirements.
Understanding and complying with the minefield of compliance regulations can
be a challenging and expensive task. Regulatory regimes require financial
reporting systems to be of the same industrial strength as transactional
In the UK organisations now have to ensure all data relating to trades,
transactions and all accounting practices throughout the organisation is
auditable. Laws such as the Freedom of Information Act, state that public
authorities must comply with requests for the information they hold from the
general public, which may pose data accessibility challenges.
Basel II, which introduces new requirements with regard to measuring
credit and operational risk for European banks, asks them to retain
historical data for up to five years, and have it readily available for
inspection — to ensure banks retain sufficient capital to cover their risk.
European businesses are not only challenged with local and European laws,
the US Sarbanes-Oxley Act of 2002 requires publicly traded companies,
accountants, attorneys, and even firms that intend to go public, to retain
electronic business records for five years and financial data for seven
years after an audit.
Sarbanes-Oxley does not just apply to US companies — any European
business listed on the US stock exchange is affected and any European
company with 300 or more shareholders in the US is bound by the
requirements. To comply with Sarbanes-Oxley — which is now in full effect —
companies are spending millions of pounds on their IT infrastructure.
Compliance hits at the core of data control and
pushes examination of it further into the organisation. Companies are now
having to grapple with how to build an IT infrastructure that retains data
over long periods of time, keeps data secure in its original format and can
easily be recovered at any time.
Almost half of British businesses believe their IT costs have increased
over the past two years as a direct result of complying with mounting
legislation, according to research by Dell. On average, over one-tenth of
the annual technology budget is spent complying with legislation, with
almost a quarter of businesses feeling that this is to the detriment of
budget needed for other vital resources.
The non-financial cost of
non-compliance can be high too. Companies across all sectors — from
pharmaceutical, healthcare and financial services to construction, retail
and transportation — can risk litigation and criminal penalties if they do
not comply with electronic data laws.
Despite this, three quarters of
British businesses questioned in Dell’s survey were not confident that they
can comply with all legislation requirements pushed upon them, citing
reasons such as the increasing number of regulations, lack of awareness of
legislation and a lack of time to deal with it.
Companies must remember, however, that legislation has not been created
to catch them out. Revamping data storage processes does not have to be just
a bureaucratic hoop-jumping exercise for companies. An organisation’s
compliance-driven IT architecture can also lead to opportunity. Alongside
operational efficiency, such as the systematic archiving of financial data,
email and other important records, businesses could also expect to see
reduced risk to business continuity as well as a greater trust in their
brand as a result of compliance.
“It is smart to comply with the law. In
addition, this whole undertaking can be a real performance enhancer for
businesses at the process level,” says Andy Efstathiou, a technology
management strategies analyst for the Yankee Group. “By investing the
appropriate amount of time architecting and thinking strategically, you can
satisfy regulatory requirements while you develop a better understanding of
your own business.”
The route to compliance
No matter what data
storage and security strategy an organisation uses, IT decision makers
should consider these six key questions:
- Will content be stored and remain unaltered over the required
retention time frame?
- How will this technology stay updated to ensure long-term
availability of records?
- Does this technology enable the organisation to retrieve data
quickly enough to respond to a legal request within the stipulated
- Can this technology grow with the business and meet regulatory
- Can this technology be used with other content generating
- How will this data storage architecture address litigation and
Best practices for archiving and protecting business data
meet the requirements of regulatory compliance, businesses must focus on the
collection; secure storage and easy retrieval of business critical data.
After learning which electronic data laws affect them, companies must follow
best practice processes and build an IT architecture that will support all
“The way most regulations are written, there isn’t a clear road map
to compliance,” says Efstathiou. “What eventually rises to the surface
are best practices. Companies cannot ignore the regulations, but they
can tailor the regulations for a mutually acceptable outcome for the
government and private industry.”
For industries that must comply with electronic data laws, the
growing response is to adopt an approach that includes processes,
people, and technology to effectively manage and maintain electronic
records. The key is to balance vulnerabilities, risks and costs with
Companies should consider the following aspects:
- Requirements: Companies need to determine which
regulations affect them and require compliance. Many companies are
getting guidance from legal consultants, industry associations and
- Roles: Many laws ask senior executives to take
responsibility for ensuring information security and deciding how to
respond to regulations. A data security strategy should be tailored
to the organisation’s needs, and executives should assign explicit
roles, responsibilities, authority and accountability to the
individuals who should carry out the plans.
- Data retention: While assessing data security needs,
companies should determine the impact that regulations will have on
their data. Where do certain kinds of data reside in the
organisation? What data formats do you use? How should you index
files? Does data have to be maintained for long periods of time? How
quickly must you be able to access it? Must it be readily
accessible, even with future software? Do you need to keep data in
its original format and never alter it?
- Security status: Companies should assess current data
processes and security practices, including networks, facilities and
hardware. What is being stored and backed up on the network?
Identify security gaps and develop a plan to close them. It is
essential to keep employees trained and aware as new data management
and security requirements unfold. Regularly conduct periodic testing
and evaluate the effectiveness of security policies and procedures
and quickly respond to vulnerabilities.
- Enabling technology: Based on regulatory requirements,
organisations usually have to deal with two types of data: data that
is unalterable and data that is alterable or removable. Unalterable
data, such as permanent records and e-mail archives, usually must be
kept on-site and require a permanent storage array. Alterable or
removable data can be stored off-site and only needs to be kept for
a set period.
Data backups are necessary to recover lost data in an emergency,
but they typically retain data for a shorter time. Data archives, on
the other hand, are designed for the long term and require a
combination of online and offline storage solutions.
will have to map out an architecture that automates data backup and recovery
processes, including offline and online storage, and allows for storage of
media that needs to be indexed and retained for long periods of time. To
comply with Basel II, for example, European banks will have to consider
whether their IT architecture meets auditing requirements.
“To comply with
regulations, you have to implement solutions across multiple silos within
your organisation,” says Efstathiou. “You need the ability to bridge
multiple silos to create a holistic view of the organisation — a view that
is more cost-efficient and secure. For most organisations, it takes a fair
amount of lead time to implement new solutions, test them, and work out the
bugs — and most need to customise their infrastructures to a certain
Hugh Jenkins, Enterprise Marketing Director, Dell UK
Dell UK exhibited at Storage Expo 2006 (National
Hall, Olympia, London from 18-19 October 2006) the UK's largest and
most important event dedicated to data storage, now in its 6th year: