Recent Harris Interactive surveys reveal that most customers still do not trust companies to handle their personal information responsibly. Reflecting consumer mistrust, several governmental regulations have emerged to legislate security and build consumer trust.
The laws are complex, demanding stiff fines and jail time for offending executives, which makes it all the more important for storage professionals to be aware of – and in compliance with – the multitude of regulations impacting the storage industry. Let’s look at an overview of the regulations and discuss the challenges and opportunities these laws present for storage and IT managers.
Enacted by the U.S. Federal government in 1999, this act applies only to financial institutions. It covers security for the private information of customers.
Requires: Administrative, technical, and physical safeguards to protect customer information; privacy notices and opt-out provisions; vigilance against future threats; responsibility for outsourced security solutions.
Implications: Increased storage volume and secure backup storage, as well as increased network and storage security; data encryption at source; company-wide policies, risk assessments, and reports.
California Senate Bill 1386
"1386" went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. A customer can bring civil suit for damages.
Requires: Disclosure of any security breach in which unencrypted personal information might have been acquired by an unauthorized person; procedures to identify and contact persons affected; and due diligence in protecting customer information from unauthorized access. There is no definition of the level of encryption.
Implications: Data encryption at source and throughout data lifecycle; network and storage security layers; zoning.
Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting, auditing practices, and associated document retention.
Holding CEOs and CFOs directly responsible, this act has had a major effect on U.S. corporations and has already sent one executive to jail. This act does not directly regulate consumer privacy, but it has important Storage and IT implications.
Requires: All documentation used for financial reports and audits must be saved, as well as all transactions and meeting minutes; data must be retained for 5 years; ability to locate and recover documents in a few days.
Implications: Increased storage volume; indexed document retrieval from primary and backup media; Write-Once, Read-Many (WORM) storage; disaster recovery including geographically isolated synchronized storage.
SEC Rule 17a
The SEC has expanded Rule 17a that covers exchange member and brokerage house record-keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages (IMs), order tickets, approvals, and more. There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a .
Requires: Non-rewritable, non-erasable, time-stamped, duplicate message storage; third-party download and storage service; fully indexed and searchable messages; data retention for 6 years, with the first two years being in faster storage; ability to "immediately" provide a copy of any message upon SEC request.
Implications: Increased primary and WORM storage volumes; improved indexed message retrieval from primary and backup media, with query/report tools.
Personal Information Protection and Electronic Documents Act
Enacted by the Canadian government in 2000, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy and electronic documents.
Requires: Consent before disclosing personal information; well planned and documented privacy policies made known within the company; levels of information sensitivity and security; data retrieval on demand by customer or law enforcement; data retention only as long as required by law.
Implications: Company-wide security policies; procedures for gaining customer for permission to disclose private information; increased secure storage volume; indexed document retrieval from primary and backup media; security level zoning.
While these laws mean a whole lot of overtime for storage professionals in the coming years, privacy is actually far more than a legal obligation. As the Harris Interactive Surveys show, it is also good business.
Almost 50 percent of consumers, for example, claim they would buy more frequently and in greater volume from companies known to have more reliable privacy practices. On the other hand, 83 percent would stop doing business entirely with companies that misuse private information. 75 percent mistrust company confidentiality, transaction security, and protection against hackers.
The bottom line: Customers want their information kept private, and storage professionals are going to be under more corporate scrutiny than ever as a result of the legislation covered above.