Build archiving systems to meet compliance demands

For a viable archiving strategy, you need to know the regulation landscape -- and the key technologies that will help you comply

The thicket of federal, state, and industry-specific regulations is enormously complex. Most organizations fail to comply with some rules, often due to policy conflicts. The best way for companies to navigate the maze and avoid penalties is to show a "best effort" -- a serious, honest attempt to ensure that records are properly and securely archived in accordance with the best possible understanding of regulations.

For IT, compliance begins with determining the systems and processes necessary to archive the entire gamut of pertinent data -- including email, IMs, files from office suites, scans of documents, photos, faxes, audio files, videos, log files, and more.

[ Get the full scoop on complying efficiently with archive requirements in the InfoWorld "Archiving Deep Dive" PDF special report. | Better manage your company's information overload with our Enterprise Data Explosion newsletter. ]

These efforts go beyond merely storing information. Data must be archived securely, in an auditable framework, and managed over its lifetime, which can range from a few months to 20 years or more, depending on the type of data and the regulations that apply. Then it must be deleted securely when no longer required.

The liability of lax compliance can be enormous. No company wants to lose a lawsuit because it was unable to respond to legal discovery requirements or face enormous fines because it failed to observe records-keeping or security rules. Both management and IT need to be aware of the archiving requirements for their industry. And IT needs an end-to-end strategy to meet the archiving challenge.

Key compliance regulations and what they mandate Compliance isn't easy. In some instances, regulatory requirements for archiving overlap or even conflict with each other. For example, one regulation may require that patient records be archived for seven years and then securely disposed of, while another may require that records be held for the lifetime of a patient.

No wonder many companies lean toward "saving everything" by default. The Federal Rules of Civil Procedure require that companies maintain and produce on demand not only paper records but any and all electronically stored information during the discovery phase of litigation. Failing to maintain archives of email and other files may result not only in large financial penalties, but also expose IT staff to fines or even jail time.

To minimize risk, management and IT need to collaborate and create a framework that can ensure proper procedures are followed and can adapt as regulations change. Here's a quick review of where several of the most prominent regulations stand today.

Sarbanes-Oxley and other financial regulations The Sarbanes-Oxley Act of 2002 is a federal law enacted in the wake of several major corporate accounting scandals, notably the Enron fiasco. Sarbanes-Oxley sets new or enhanced standards for accounting firms, public companies, and corporate management. The infamous Sarbanes-Oxley Section 802, which pertains to records retention, has the greatest applicability to archiving.

Section 802 requires public companies and their accountants to maintain all audit or review documents, including all electronic records, for five years from the end of the fiscal period in which the audit or review was concluded. Because documents must be readable for the five-year period, it's also essential to ensure that document readers or other applications continue to be supported for the full cycle.

Typically, companies are expected to show documented policies on retention and protection of data as well as destruction at the end of the retention period and audit trails. Companies may also need to defend the quality of their system to show that necessary steps were taken to ensure necessary security, fault tolerance, and controls.

Other financial regulations and organizations that deal with archiving policies include the Financial Industry Regulatory Authority, the Securities and Exchange Commission, and the Gramm-Leach-Bliley Act. Each deals with various parts of a company's financial records, stock trading, banking, and investments, with different requirements for disclosure, records retention, and audits.

HIPAA and health records The Health Insurance Portability and Accountability Act (HIPAA) requires, among many other things, that employee health records (and customer health records, if a company provides health services) be retained securely for a prescribed period and then disposed of securely.

Retention periods vary from two years to seven, depending on state as well as federal requirements and the types of records; for example, records of minors may need to be retained until the minors are 21. HIPAA requires that companies be able to demonstrate that records are secure -- and that they should be capable of determining whether records have been accessed in the event of a data leak.

The new Hitech Act, part of the 2009 economic stimulus package passed by Congress, offers incentives to use electronic health records (EHR) and will eventually reduce Medicare payments to doctors and physicians groups that don't use EHR. This means that in the long term, virtually all health organizations will be handling vast amounts of electronic data and will need to archive and protect that data.

PCI compliance and archiving The Payment Card Industry archiving requirements revolve around security rather than retention periods -- data must be stored securely, in encrypted form. This includes data stored in online databases, data stored on tape or other removable media, as well as data transmitted over the Internet. Database access logs and other records of transactions must be stored separately to enable tracking and auditing of data access.

In addition to requiring encryption and other security measures, some states require notification of data breaches to all potentially affected customers, making it essential to track data breaches and to be able to identify all customer records contained in specific archives, tape backups, or other systems that could be accessed or lost.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags business issuesapplicationsstorageregulationsoftwarebusinessdata explosionIT managementgovernmentData managementregulatory complianceStorage Management

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Logan G. Harbaugh

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?