Governments worldwide are placing companies under increasing scrutiny as corporate failures and fraud, from Enron to Shell, from WorldCom to Nortel, have demonstrated the requirement for legislation and regulation. UK businesses are challenged more than ever before by electronic data laws and they need to ensure that are complying with all of the different legal requirements.
Understanding and complying with the minefield of compliance regulations can be a challenging and expensive task. The UK now has a regulatory regime where financial reporting systems must be of the same industrial strength as transactional process systems. UK organisations now have to ensure all data relating to trades, transactions and all accounting practices throughout the organisation is auditable.
Laws such as the Freedom of Information Act, state that public authorities must comply with requests for the information they hold from the general public, which may pose data accessibility challenges. And Basel II, which introduces new requirements with regard to measuring credit and operational risk for European banks, asks them to retain historical data for up to five years, and have it readily available for inspection – to ensure banks retain sufficient capital to cover their risk.
And UK businesses are not only challenged with UK and European laws, the US Sarbanes-Oxley Act of 2002 requires publicly traded companies, accountants, attorneys, and even firms that intend to go public, to retain electronic business records for five years and financial data for seven years after an audit. Sarbanes-Oxley does not just apply to US companies – any European business listed on the US stock exchange is affected and any European company with 300 or more shareholders in the US is bound by the requirements. To comply with Sarbanes-Oxley – which is now in full effect – companies are spending millions of pounds on their IT infrastructure.
Compliance hits at the core of data control and pushes examination of it further into the organisation. Companies are now having to grapple with how to build an IT infrastructure that retains data over long periods of time, keeps data secure in its original format and can easily be recovered at any time.
Almost half of British businesses believe their IT costs have increased over the past two years as a direct result of complying with mounting legislation, according to research by Dell. On average, over one-tenth of the annual technology budget is spent complying with legislation, with almost a quarter of businesses feeling that this is to the detriment of budget needed for other vital resources.
The non-financial cost of non-compliance can be high too. Companies across all sectors – from pharmaceutical, healthcare and financial services to construction, retail and transportation – can risk litigation and criminal penalties if they do not comply with electronic data laws.
Despite this, three quarters of British businesses questioned in Dell´s survey were not confident that they can comply with all legislation requirements pushed upon them, citing reasons such as the increasing number of regulations, lack of awareness of legislation and a lack of time to deal with it.
Companies must remember, however, that legislation has not been created to catch them out. Revamping data storage processes does not have to be just a bureaucratic hoop-jumping exercise for companies. An organisation´s compliance-driven IT architecture can also lead to opportunity. Alongside operational efficiency, such as the systematic archiving of financial data, email and other important records, businesses could also expect to see reduced risk to business continuity as well as a greater trust in their brand as a result of compliance.
“It is smart to comply with the law. In addition, this whole undertaking can be a real performance enhancer for businesses at the process level,” says Andy Efstathiou, a technology management strategies analyst for the Yankee Group. “By investing the appropriate amount of time architecting and thinking strategically, you can satisfy regulatory requirements while you develop a better understanding of your own business.”
The route to compliance
No matter what data storage and security strategy an organisation uses, IT decision makers should consider these six key questions:
1. Will content be stored and remain unaltered over the required retention time frame?
2. How will this technology stay updated to ensure long-term availability of records?
3. Does this technology enable the organisation to retrieve data quickly enough to respond to a legal request within the stipulated deadline?
4. Can this technology grow with the business and meet regulatory requirements?
5. Can this technology be used with other content generating applications?
6. How will this data storage architecture address litigation and discovery challenges?
Best practices for archiving and protecting business data
To meet the requirements of regulatory compliance, businesses must focus on the collection; secure storage and easy retrieval of business critical data. After learning which electronic data laws affect them, companies must follow best practice processes and build an IT architecture that will support all legislation requirements.
“The way most regulations are written, there isn´t a clear road map to compliance,” says Efstathiou. “What eventually rises to the surface are best practices. Companies cannot ignore the regulations, but they can tailor the regulations for a mutually acceptable outcome for the government and private industry.”
For industries that must comply with electronic data laws, the growing response is to adopt an approach that includes processes, people, and technology to effectively manage and maintain electronic records. The key is to balance vulnerabilities, risks and costs with operational needs.
Companies should consider the following aspects:
Requirements. Companies need to determine which regulations affect them and require compliance. Many companies are getting guidance from legal consultants, industry associations and external auditors.
Roles. Many laws ask senior executives to take responsibility for ensuring information security and deciding how to respond to regulations. A data security strategy should be tailored to the organisation´s needs, and executives should assign explicit roles, responsibilities, authority and accountability to the individuals who should carry out the plans.
Data retention. While assessing data security needs, companies should determine the impact that regulations will have on their data. Where do certain kinds of data reside in the organisation? What data formats do you use? How should you index files? Does data have to be maintained for long periods of time? How quickly must you be able to access it? Must it be readily accessible, even with future software? Do you need to keep data in its original format and never alter it?
Security status. Companies should assess current data processes and security practices, including networks, facilities and hardware. What is being stored and backed up on the network? Identify security gaps and develop a plan to close them. It is essential to keep employees trained and aware as new data management and security requirements unfold. Regularly conduct periodic testing and evaluate the effectiveness of security policies and procedures and quickly respond to vulnerabilities.
Enabling technology. Based on regulatory requirements, organisations usually have to deal with two types of data: data that is unalterable and data that is alterable or removable. Unalterable data, such as permanent records and e-mail archives, usually must be kept on-site and require a permanent storage array. Alterable or removable data can be stored off-site and only needs to be kept for a set period.
Data backups are necessary to recover lost data in an emergency, but they typically retain data for a shorter time. Data archives, on the other hand, are designed for the long term and require a combination of online and offline storage solutions.
Companies will have to map out an architecture that automates data backup and recovery processes, including offline and online storage, and allows for storage of media that needs to be indexed and retained for long periods of time. To comply with Basel II, for example, European banks will have to consider whether their IT architecture meets auditing requirements.
“To comply with regulations, you have to implement solutions across multiple silos within your organisation,” says Efstathiou. “You need the ability to bridge multiple silos to create a holistic view of the organisation – a view that is more cost-efficient and secure. For most organisations, it takes a fair amount of lead time to implement new solutions, test them, and work out the bugs – and most need to customise their infrastructures to a certain degree.”