Home About Data Solutions News Data Solutions Services Data Solutions Partners Technical Support Contact Data Solutions

September 2005

Storage strategies meet regulatory burden on data retention

By Daniel Delshad
The regulatory burden on data retention continues to increase with no signs of abating. Companies, therefore, must pay close attention to the mandates of HIPAA, Sarbanes Oxley and other legislation, incorporating these requirements into their IT infrastructure.

From the perspective of information storage, here are several critical elements:

The Health Information Portability and Accountability Act
The Health Information Portability and Accountability Act or HIPAA improves health care by putting medical records online, while also protecting patient privacy. Originally enacted in 1996, the privacy regulations are in effect now, and security regulation enforcement also began in 2005.

The privacy requirements concern non-disclosure of individually identifiable patient information, either by name, address, relative's names, etc. Security regulations specify the administrative standards must cover: individual user authentication, access controls, audit trails, physical security and disaster recovery, protection of remote access points (for example, every PC in the hospital), secure external electronic communications, software discipline and system assessment.

Medical emergencies demand fast response to online queries. The law does not specify the storage technology but makes it clear that organizations of all sizes must do whatever it takes to secure private information. Although data encryption was in the proposed security regulations, it was dropped from the final version. Hospitals must store patient's medical records from birth to age 21, and then can reduce the data retention to five years.
The complete data retention requirements are:

  • Medical records: Children, birth to 21 years of age; and adults, five years, continuing until two years after death;
  • Records of information disclosures: six years; and
  • Compliance standards, implementations, policies, procedures: six years.

HIPAA implications
The need for fast response to queries in medical diagnostic and insurance can today only be met by magnetic storage rather than tape or optical disk. A disaster that destroys or corrupts all of a hospital's online records puts patients into immediate danger and could close down the business.

A geographically separated, secondary synchronized data center should be considered. Data encryption at the source is probably the best way to protect the privacy of patients.

Personal Information Protection and Electronic Documents Act
Enacted by the Canadian government in 2000 and in full effect in 2004, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy, electronic documents and electronic signatures, and applies to all personal information collected, used or disclosed in commercial activity. Courts can order offending companies to change their methods, and victims of unauthorized disclosure can sue for damages and humiliation.

The organization must obtain the individual's consent before disclosing personal information to any third party. Well-planned and documented privacy policies must be known and followed within the company. The act requires "personal information shall be protected by security safeguards appropriate to the sensitivity of the information." Corresponding layers of security go up to and including data encryption at the source. Data must be retrievable on demand by customer or law enforcement, and retained only as long as required by law.

Electronic documents must be stored in the original format, or at least in a format that does not change the information. (encryption is allowed.) The retrieved information must be readable or understandable by any authorized person. The document must retain information about points of origin, destinations, dates and times.

Implications
Storage managers must work closely with operations managers to thoroughly understand the classes of information and must determine the appropriate levels of security. Encryption on the disk is encouraged, and encryption at the source may be justified.

For fast web-based secure applications, encryption appliances might improve response time. Storage managers must work with legal departments to determine data retention periods defined under various laws. Destroying bad disks and old equipment is also important, as the Bank of Montreal found out after old computers containing hundreds of confidential customer files went up for auction on eBay.

Gramm-Leach-Bliley Financial Services Modernization Act
Enacted by the U.S. government in 1999, the Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) applies to a wide range of financial, credit, insurance and many more types of money-handling institutions. It prohibits disclosing customer information to non-affiliated third-party organizations and protects the integrity of the information. The federal agencies have published the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information (12 CFR)" to assist executives in developing security standards.

Company executives must participate in company-wide risk assessment, and manage risk, including implementing some or all of the following, as appropriate to the particular institution (the law recognizes not all may apply to some cases):

  • data access controls;
  • physical access controls;
  • encryption while in transit on networks or at rest in storage, or both;
  • monitor system modifications to assure security;
  • dual control procedures (two authorized persons needed to access), segregation of duties and employee background checks;
  • monitoring systems to detect actual or attempted attacks or intrusions into the system;
  • response procedures to be taken after an actual or attempted attack or intrusion; and
  • protection against environmental hazards or technological failures.
    Company executives must also train the staff in security procedures, regularly test security systems, maintain vigilance against future methods of attack or intrusion, and oversee third-party providers to assure security.

Implications
Implementing all of these methods, although not necessarily required, would put a strong, safe storage system in place. Storage managers will be called upon for risk assessment and standards.

California Senate Bill 1386
California Senate Bill 1386 went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. The intent is that anyone whose personal information may have been disclosed to unauthorized persons can quickly begin taking countermeasures against identity theft, misuse of information, etc. Victims can bring civil suit for damages.

The organization must disclose, in specified ways, any security breach in which an unauthorized person might have acquired unencrypted personal information. The law states …"personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver's license number or California Identification Card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Implications
There is no definition of the level of encryption, but this clearly implies encryption at the source. The company must have procedures to identify and contact persons affected, therefore storage managers need to be able to determine the boundaries of the compromised area.

Sarbanes-Oxley Act (SOA, Sox)
Enacted by the U.S. government in 2002 in response to corporate financial scandals, Sarbanes-Oxley Act (SOA, Sox) applies to all publicly held companies in the United States that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC).

It covers financial reporting to the SEC, auditing practices and associated document retention. By holding CEOs and CFOs directly responsible for the accuracy of financial reports, this act has had a major effect on U.S. corporations and has already sent one executive to jail. The intent is to preserve all records of business dealings and financial audits for long enough to allow detailed investigations of questionable business activities.

The company must save all documentation used to create financial reports and audits. Sarbanes-Oxley defines documentation as:

  • relevant records such as workpapers;
  • documents that form the basis of an audit or review;
  • memoranda;
  • correspondence;
  • communications;
  • other documents and records (including electronic records) that are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review.

The law requires risk assessment, either across the entire company, or by a summation of narrower risk assessments on individual transactions and operations within the company. Storage risk assessment is part of the overall requirement.

The document retention period is seven years and recovery time is limited to a very few days following a federal request. Because of the legal importance of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be considered. Security is vital to protect against malicious use of this gold mine of company information.

Implications
The storage manager should meet with operations managers to determine what documents of these types exist in the company and the magnitude of the storage required, as well as to arrange for automatic collection and routing to secure storage.

A document management system that precisely identifies, queries, and retrieves sets of documents is necessary to quickly respond to requests from federal agencies and to maintain operational requirements. Secure, geographically separated secondary storage on magnetic disk would provide disaster recovery while maintaining document recovery time.

SEC Rule 17a
The SEC has expanded Rule 17a, which covers exchange member and brokerage house record keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages, order tickets, approvals and more.

There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a. The major U.S. stock exchanges have established standards based on this rule.
Brokerage houses have always had to quickly and accurately verify records of a large volume of trading orders. This act is explicit in the demand for "non-rewritable, non-erasable" storage of all documents. This makes WORM storage mandatory. Each document must be stored in duplicate, with time stamps and showing the origin and destination. Duplicates must be kept off-site. Data retention is for six years, with the first two years in fast storage. The company must "immediately" provide a copy of any document upon SEC request.

Implications
The effect is to mandate WORM magnetic disk, at least for the first two years, and an excellent document retrieval system. The fast retrieval time and off-site backup requirements imply a separate, synchronized storage center. If the brokerage or trading house is also covered by Sarbanes-Oxley, storage design must target the most demanding requirements of both Sarbanes-Oxley and SEC 17a.

Summary
We see common requirements in many of these regulations. Administrative work for developing and implementing storage standards is rising. Encryption, WORM storage, synchronized alternate storage and indexed document retrieval are becoming standard. These laws reflect the best practices of the storage industry at the time they were drafted, and they raise the general standards of data security and integrity.

The volume of information in secured storage will continue to rise. The storage manager must work more closely with operations managers to minimize the volume by eliminating redundant occurrences of personal data items on multiple forms and records. Storage managers need to continue educating themselves in the next waves of technologies to keep their companies ahead of the growing legislative demands.

Daniel Delshad is founder and chairman of the Association of Storage Networking Professionals, the largest end user group in the storage industry with more than 2,000 members throughout North American, Asia, Europe and Africa. He may be contacted at www.asnp.org.

Return to News Home

Copyright © 2006 :: Data Solutions, Inc.