Sorting through regulatory compliance hype

By Heidi Biggar

You would have had to be living under a rock for the past few months to have missed all the vendor noise about SEC 17a, HIPAA, and Sarbanes-Oxley. In fact, many storage vendors have made these new regulations a central focus of their marketing efforts.

In some cases, the regulations have significant IT and business implications, but in other cases they don't—at least from a storage perspective. Regardless, compliant records growth is something every organization, in every vertical industry, will have to contend with in the near future, if they haven't already.

"The compliance-related events that have made the news in the past year are the tip of an iceberg that will have enormous impact on both the IT and business components of organizations in every market," says Peter Gerr, a research analyst at the Enterprise Storage Group (ESG) and co-author of the study Compliance: The effect on information management and the storage industry.

Click here to enlarge image


ESG predicts that the worldwide capacity of compliant records will increase at a staggering 64% CAGR between 2003 and 2006, from 376 petabytes to 1,644PB. ESG defines "compliant records" as any number of information types subject to rules. There are currently more than 10,000 regulations in the US, spanning many industries, and no end is in sight, according to ESG.

As more records are created and retained, and the risk and value of this information increases, organizations can expect to see more regulations across more industries, says Gerr. "Compliance is not an option, but is essential if organizations want to successfully pass inspections, avoid fines and loss of trust, and compete in a global market while evolving their records management processes to 'best in practice.' "

The ESG study focused on four industries (life sciences/pharmaceuticals, healthcare, financial services, and government) and the key regulations in each of these markets (e.g., 21 CFR Part 11, HIPAA, SEC 17a, Sarbanes-Oxley, and DoD 5015.2).

Among other things, ESG's objective was to sort through all the hype and provide an interpretation of each rule and its storage implications, explains Gerr. While some of the new regulations dictate specific, and detailed, storage requirements (e.g., SEC 17a), others do not (e.g., HIPAA and Sarbanes-Oxley). However, lengthy retention periods and growing paper (and digital) record stockpiles will likely have significant storage implications over the near- and long-term.

The reality is that most compliant records today come in paper formats, explains Gerr. "The question organizations need to ask is, 'Can I afford to retain paper records for these periods?' At some point, it becomes a cost and management nightmare."

Of the vertical industries covered in the report, life sciences was reported to have the fastest growing capacity of compliant records (86% CAGR over the forecast period), while the healthcare industry had the largest capacity of compliant records (currently at 68PB).

As for the type of media most commonly used to store this type of information, Gerr says disk-based storage is the fastest-growing media type (172% CAGR), although tape is still the most popular storage medium for compliant records.

Gerr says that the prohibitive cost of traditional ways of retaining, managing, and disposing compliant records, as well as the sheer volume of new records being generated, has resulted in the need for new storage solutions. These solutions need to meet specified retention and disposition schedules, as well as privacy, security and long-term data discovery, legibility, authenticity, and audit regulations, according to Gerr (see table).

SEC 17a-3 and 17a-4

7CFT 240.17a-3 and 17CFR 240.17a-4, more commonly referred to as SEC rules 17a-3 and 17a-4, dictate rules and regulations for the financial services industry, specifically for brokers and dealers. According to ESG, these two rules are by far the most stringent record archiving and retention regulations today.

Specifically, the two rules define the types of records that financial institutions must create and retain, as well as other issues related to compliance, such as retention periods and media types.

ESG notes that the SEC has been slow-to-evolve in terms of allowing brokers/dealers to use storage technologies for records retention purposes. For example, it wasn't until 1997 that rule 17a was amended to allow records to be archived on electronic media as well as microfiche. And it wasn't until earlier this year that the SEC granted brokers/dealers permission to use certain types of integrated hardware/software electronic storage systems other than optical disk for record retention (e.g., systems that prevent overwriting, erasure, etc.).

Click here to enlarge image


Rule 17a-3 tells brokers and dealers what type of records they are required to create (e.g., daily purchase/sales of securities, customer orders, cash disbursements, etc.), while 17a-4 defines the steps they must take before archiving to various electronic media, media requirements, and retention periods.

A common misperception about these rules is that only optical disk technology is acceptable under the SEC guidelines, says Gerr. "In fact, several leading financial institutions are deploying purpose-built magnetic tape and magnetic disk systems with non-rewritable and non-erasable functionality in the operating system, device handlers, or firmware."

The challenge is in knowing which parts of the rules apply to technology and which parts are implemented in business policies and procedures, explains Gerr.

The following are key points/recommendations about record retention:

  • Records can be kept on optical disk as well as on other storage media as long as the format is both non-rewritable and non-erasable. Make sure to get approval from the SEC (at least 90 days prior to implementation) before implementing any non-optical-disk technology.
  • Retention periods vary from three years (e.g., brokerage manuals and examination reports) to six years (e.g., purchase and sales records) or more (e.g., member registration information), depending on the type of record (see figure).
  • Make duplicate copies of all records and store them in separate locations. The SEC does not dictate that duplicate copies be stored off-site, just in different locations. The records also need to be time-stamped for the required retention period.
  • Verify the quality and accuracy of the storage media recording process, and make sure you have enough capacity to readily download indexes and records to any acceptable medium.

Finally, ESG recommends that you turn to storage hardware vendors that have partnerships with application vendors when searching for an appropriate technology to meet the SEC regulations. In particular, Gerr says that record management, content management, and messaging applications can be particularly helpful during the compliance process.


While HIPAA is widely known for providing health insurance protection to unemployed workers (i.e., COBRA), a significant portion of the HIPAA regulations has virtually no storage components, says Gerr. "It is Title II that the healthcare industry is buzzing about."

Title II is the Administration Simplification portion of the act. Its purpose, among other things, is to establish standards for electronic healthcare transactions in the areas of privacy, security, and electronic healthcare transactions and code sets. "The goal of these provisions is to improve the efficiency and effectiveness of the nation's healthcare system by encouraging widespread use of electronic data interchange in healthcare," explains Gerr.

Has HIPAA created a storage emergency? "No, but it will be the next storage pinch," says Peter Gerr. Right now, financial service regulations (such as SEC 17a) are the hot buttons, he says.

While the Administration Simplification rule went into effect in April, its security component, which has the broadest storage implications, doesn't go into effect until sometime next year. The provisions that are in effect today, Gerr says, have produced no real changes in terms of storage decision-making.

The privacy rule establishes guidelines for setting policies and implementing procedures to ensure patient information is protected. Besides dictating that certain healthcare records be retained for a minimum of six years, or two years after a patient's death, the rule does not dictate specific storage media or systems requirements.

However, HIPAA does have storage implications down the road once the security piece of the provision is put into effect and as paper records are digitized. Gerr points out that there is a higher probability of data loss with paper records and that recovery can be slow. As a result, he says organizations should strongly consider electronic storage, if they haven't already.

Explains Gerr: "The risk of data loss infringes on compliance with the act's privacy rule. This could provide the incentive for some providers to digitize more of their information. As the transformation from paper to electronic media continues, there is more data to store, index, retrieve, back up, and secure."

The security rule, meanwhile, is designed to protect patient information while it is being electronically transmitted or at rest, which is of particular concern to IT administrators and to storage vendors, explains Gerr. Organizations, he says, should look to vendors that can help ensure the protection of data while it is in transit or at rest.

"There are no explicit storage requirements, but there are places where having a storage technology system (e.g., disk system, software, or networking) makes [tremendous] sense," he says. For security purposes, he recommends things such as contingency and disaster-recovery plans, although these are not specifically addressed in the rule.

Organizations should also consider things such as secondary backup sites, remote copies, time frames for recovery, encryption, etc., as well as other data management/hardware products that will allow you to address multiple aspects of the provision. Gerr also recommends investigating technologies such as e-mail archiving, low-cost storage systems for digital archives, IP-based replication, and storage WANs.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act has generated a lot of media attention because it was borne out of the accounting debacles (e.g., Enron, WorldCom) of the past few years. The act is designed to regulate corporate and public accounting practices to ensure that financial statements are accurate.

In a nutshell, the act sets rules for the disclosure and retention of various types of corporate information (e.g., financial, accounting, etc.), but, unlike SEC 17a, it does not dictate specific storage requirements other than the retention period. The act, which was put into effect in 2002, dictates that accounting firms that audit the financial statements of publicly traded corporations keep all working papers, correspondence, and communications for four years after an audit.

Similar to HIPAA, Sarbanes-Oxley has no real near-term storage impact but has definite long-term storage implications again because of the sheer volume of records that will be potentially involved. Gerr says that, like HIPAA, Sarbanes-Oxley will force many organizations to re-evaluate their current paper-record retention strategies.

As paper documents are digitized and the procedures and policies are put in place to determine what types of records need to be retained, having the right types of storage systems in place will become an important part of the equation.

"Sarbanes-Oxley really tells us that more information will be retained for longer periods of time," he says. "There will come a time when auditors and corporations will realize the inefficiencies of paper records. At that point, more electronic records will be created and stored for longer periods of time," he says.

But for now, the storage specifics of this act are few. Sarbanes-Oxley does not dictate specific rules governing the types of storage technologies that can be used to retain information, nor does it dictate backup procedures and policies or other storage/security aspects. That's up to you. But unless you want to become embroiled in a difficult—and costly—legal battle, you'll want to make sure these records are quickly and easily recoverable.

Recurring themes across industries/vertical markets

Expanding scope of regulations:

  • Current regulations will be seen as precedents for future, more broadly based rules
  • Explosive growth in number and storage capacity of "compliant records"
  • Increased complexity for IT/increase cost for the business

Prohibitive cost of traditional compliant records management, retention, and disposition:

  • Business requirements and increase in retained records are driving need for new solutions

Need increased efficiencies managing the "life cycle" of compliant records:

  • Specified retention/disposition schedules
  • Stringent privacy, security, data-protection attributes

Requirement for long-term data "discovery," "legibility," "authenticity," and "auditability":

  • Inability to enable all four increases risks, costs, and exposure to penalties.

Source: Enterprise Storage Group, May 2003

This article was originally published on August 01, 2003