Trust, Mistrust, and Consumer Information
Recent Harris Interactive surveys reveal that most customers still do not trust companies to handle their personal information responsibly. Reflecting consumer mistrust, several governmental regulations have emerged to legislate security and build consumer trust.
The laws are complex, demanding stiff fines and jail time for offending executives, which makes it all the more important for storage professionals to be aware of – and in compliance with – the multitude of regulations impacting the storage industry. Let’s look at an overview of the regulations and discuss the challenges and opportunities these laws present for storage and IT managers.
Enacted by the U.S. Federal government in 1999, this act applies only to financial institutions. It covers security for the private information of customers.
Requires: Administrative, technical, and physical safeguards to protect customer information; privacy notices and opt-out provisions; vigilance against future threats; responsibility for outsourced security solutions.
Implications: Increased storage volume and secure backup storage, as well as increased network and storage security; data encryption at source; company-wide policies, risk assessments, and reports.
California Senate Bill 1386
"1386" went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. A customer can bring civil suit for damages.
Requires: Disclosure of any security breach in which unencrypted personal information might have been acquired by an unauthorized person; procedures to identify and contact persons affected; and due diligence in protecting customer information from unauthorized access. There is no definition of the level of encryption.
Implications: Data encryption at source and throughout data lifecycle; network and storage security layers; zoning.
Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting, auditing practices, and associated document retention.
Holding CEOs and CFOs directly responsible, this act has had a major effect on U.S. corporations and has already sent one executive to jail. This act does not directly regulate consumer privacy, but it has important Storage and IT implications.
Requires: All documentation used for financial reports and audits must be saved, as well as all transactions and meeting minutes; data must be retained for 5 years; ability to locate and recover documents in a few days.
Implications: Increased storage volume; indexed document retrieval from primary and backup media; Write-Once, Read-Many (WORM) storage; disaster recovery including geographically isolated synchronized storage.