click to visit home page
leading the way to the new storage frontier .....
Fast Purge flash SSDs directory & articles
Fast Purge SSDs ..
STORAGE Security
storage security ..
Disk Sanitizers
Disk Sanitizers ..

Privacy and Security Regulations, and How they Impact Storage Systems

Article by - Robb Dennis Association of Storage Networking Professionals - February 18, 2005
Editor's intro:- What are the legal regulations covering the type of storage system, backup and disaster recovery and encryption mandated for companies operating in the US? This article answers those questions and is a sound starting point for anyone having the duty of care and responsibility for their corporate data. Because regulations change so quickly it's worth considering the impact of these best practises on your own organisation even if you think you are currently outside the scope of these laws. That will reduce the level of panic when they creep up on you.
Privacy and Security Regulations, and How they Impact Storage Systems
Several government regulations have emerged in recent years on privacy and security issues designed to safeguard consumer information and prevent corporate abuses. This legislation is having a strong impact on storage system design and administration.

The laws are complex and sometimes intentionally vague to allow for new technology developments. Some of the regulations demand stiff fines and jail time for offending executives. CEOs and Board members are turning to storage managers, therefore, to secure an ever growing silo of consumer information and corporate documents. This article gives an overview of the regulations and describes the challenges facing the storage industry and storage managers.

Some of the more important regulations that have gone into effect recently are:
  • Health Information Portability and Accountability Act (HIPAA)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Gramm-Leach-Bliley Act (GLBA)
  • California Senate Bill 1386
  • Sarbanes-Oxley Act (SBA)
  • SEC Rule 17a
Flexxon SSDs for indistrial medical and automotive applications - overview image

IMA (Industrial, Medical & Automotive)
XTREME series SSDs - from Flexxon
Health Information Portability and Accountability Act (HIPAA)

This legislation improves health care by putting medical records online, while also protecting patient privacy. Originally enacted in 1996, the privacy regulations are in effect now, and security regulation enforcement begins in 2005.


The privacy requirements concern non-disclosure of individually identifiable patient information, either by name, address, relative's names, etc. Security regulations specify the administrative standards must cover:
  • Individual user authentication
  • Access controls
  • Audit trails
  • Physical security and disaster recovery
  • Protection of remote access points (for example, every PC in the hospital)
  • Secure external electronic communications
  • Software discipline
  • System assessment
Medical emergencies demand fast response to online queries. The law does not specify the storage technology but makes it clear that organizations of all sizes must do whatever it takes to secure private information. Although data encryption was in the proposed security regulations, it was dropped from the final version. Hospitals must store patient's medical records from birth to age 21, and then can reduce the data retention to 5 years. The complete data retention requirements are:
  • Medical Records
    • Child records - birth to 21 years of age
    • Adult records 5 years, continuing until 2 years after death
  • Records of information disclosures - 6 years
  • Compliance standards, implementations, policies, procedures - 6 years

The need for fast response to queries in medical diagnostic and insurance can today only be met by magnetic storage rather than tape or optical disk. A disaster that destroys or corrupts all of a hospital's online records puts patients into immediate danger and could close down the business. A geographically separated, secondary synchronized data center should be considered. Data encryption at the source is probably the best way to protect the privacy of patients.

Personal Information Protection and Electronic Documents Act

Enacted by the Canadian government in 2000 and in full effect in 2004, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy, electronic documents and electronic signatures, and applies to all personal information collected, used or disclosed in commercial activity. Courts can order offending companies to change their methods, and victims of unauthorized disclosure can sue for damages and humiliation.


The organization must obtain the individual's consent before disclosing personal information to any third party. Well-planned and documented privacy policies must be known and followed within the company. The act requires "personal information shall be protected by security safeguards appropriate to the sensitivity of the information." Corresponding layers of security go up to and including data encryption at the source. Data must be retrievable on demand by customer or law enforcement, and retained only as long as required by law.

Electronic documents must be stored in the original format, or at least in a format that does not change the information. (Encryption is allowed.) The retrieved information must be readable or understandable by any authorized person. The document must retain information about points of origin, destinations, dates and times.


Storage managers must work closely with operations managers to thoroughly understand the classes of information and must determine the appropriate levels of security and zoning criteria. Encryption on the disk is encouraged, and encryption at the source may be justified. For fast Web-based secure applications, encryption appliances might improve response time. Storage managers must work with Legal departments to determine data retention periods defined under various laws. Destroying bad disks and old equipment is also important, as the Bank of Montreal found out after old computers containing hundreds of confidential customer files went up for auction on eBay.

Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)

Enacted by the U.S. Federal government in 1999, this act applies to a wide range of financial, credit, insurance and many more types of money-handling institutions. It prohibits disclosing customer information to non-affiliated third-party organizations and protects the integrity of the information. The federal agencies have published the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information (12 CFR)" to assist executives in developing security standards.


Company executives must:
1 Participate in company-wide risk assessment
2 Manage risk, including implementing some or all of the following, as appropriate to the particular institution. The law recognizes not all may apply to some cases.
  • Data access controls
  • Physical access controls
  • Encryption while in transit on networks or at rest in storage, or both
  • Monitor system modifications to assure security
  • Dual control procedures (two authorized persons needed to access), segregation of duties, and employee background checks
  • Monitoring systems to detect actual or attempted attacks or intrusions into the system
  • Response procedures to be taken after an actual or attempted attack or intrusion · Protection against environmental hazards or technological failures
3 Train the staff in security procedures
4 Regularly test security systems
5 Maintain vigilance against future methods of attack or intrusion
6 Oversee third-party providers to assure security

Implementing all of these methods, although not necessarily required, would put a strong, safe storage system in place. Storage managers will be called upon for risk assessment and standards.

California Senate Bill 1386

"1386" went into effect in July 2003 and applies to companies doing business in California and all companies holding personal information of California residents. The intent is that anyone whose personal information may have been disclosed to unauthorized persons can quickly begin taking countermeasures against identity theft, misuse of information, etc. Victims can bring civil suit for damages.


The organization must disclose, in specified ways, any security breach in which an unauthorized person might have acquired unencrypted personal information. The law states "…"personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
  1. Social security number.
  2. Driver's license number or California Identification Card number.
  3. Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account."

There is no definition of the level of encryption, but this clearly implies encryption at the source. The company must have procedures to identify and contact persons affected, therefore storage managers need to be able to determine the boundaries of the compromised area.

Sarbanes-Oxley Act (SOA, Sox)

Enacted by the US Federal Government in 2002 in response to corporate financial scandals, this act applies to all publicly held companies in the U.S. that have more than $75 million equity market capitalization and that report quarterly to the Securities and Exchange Commission (SEC). It covers financial reporting to the SEC, auditing practices and associated document retention. By holding CEOs and CFOs directly responsible for the accuracy of financial reports, this act has had a major effect on U.S. corporations and has already sent one executive to jail.

The intent is to preserve all records of business dealings and financial audits for long enough to allow detailed investigations of questionable business activities.


The company must save all documentation used to create financial reports and audits. Sarbanes-Oxley defines documentation as:
  • "Relevant records such as workpapers
  • Documents that form the basis of an audit or review
  • Memoranda
  • Correspondence
  • Communications
  • Other documents
  • Records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review"
The law requires risk assessment, either across the entire company, or by a summation of narrower risk assessments on individual transactions and operations within the company. Storage risk assessment is part of the overall requirement.

The document retention period is 7 years and recovery time is limited to a very few days following a federal request. Because of the legal importance of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be considered. Security is vital to protect against malicious use of this gold mine of company information.


The storage manager should meet with operations managers to determine what documents of these types exist in the company and the magnitude of the storage required, as well as to arrange for automatic collection and routing to secure storage.

A document management system that precisely identifies, queries, and retrieves sets of documents is necessary to quickly respond to requests from federal agencies and to maintain operational requirements. Secure, geographically separated secondary storage on magnetic disk would provide disaster recovery while maintaining document recovery time.

SEC Rule 17a

The SEC has expanded Rule 17a that covers exchange member and brokerage house record keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages, order tickets, approvals and more. There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a. The major U.S. stock exchanges have established standards based on this rule.


Brokerage houses have always had to quickly and accurately verify records of a large volume of trading orders. This act is explicit in the demand for "non-rewritable, non-erasable" storage of all documents. This makes WORM storage mandatory. Each document must be stored in duplicate, with time stamps and showing the origin and destination. Duplicates must be kept off-site. Data retention is for 6 years, with the first 2 years in fast storage. The company must "immediately" provide a copy of any document upon SEC request.


The effect is to mandate WORM magnetic disk, at least for the first 2 years, and an excellent document retrieval system. The fast retrieval time and off-site backup requirements imply a separate, synchronized storage center. If the brokerage or trading house is also covered by Sarbanes-Oxley, storage design must target the most demanding requirements of both Sarbanes-Oxley and SEC 17a.


We see common requirements in many of these regulations. Administrative work for developing and implementing storage standards is rising. Encryption, WORM storage, synchronized alternate storage, and indexed document retrieval are becoming standard. These laws reflect the best practices of the storage industry at the time they were drafted, and they raise the general standards of data security and integrity. The volume of information in secured storage will continue to rise. The storage manager must work more closely with operations managers to minimize the volume by eliminating redundant occurrences of personal data items on multiple forms and records. Storage managers need to continue educating themselves in the next waves of technologies to keep their companies ahead of the growing legislative demands. ...ASNP profile
Association of Storage Networking Professionals click for profile
storage industry trade associations - click for larger image
Storage ORGs on
Megabyte found that talking to other
specialists was a good way to learn
more about storage.
Disk sanitizers
Fast Purge SSDs
this way to the Petabyte SSD
Milestones in Disk to Disk Backup
the Solid State Disks Buyers Guide
the Dangers of Removable Storage Media
Data Integrity Challenges in flash SSD Design
notebook SSD encryption - performance & recoverability
he Impact of Compliance and Risk Management on Archival Storage Strategies
fast erase / purge MIL SSDs
The need for fast and secure data erase - in which vital parts of a flash SSD or its data are destroyed in seconds - has always been a requirement in military projects.

Fast Purge flash SSDs directory & articlesAlthough many industrial SSD vendors offer products with extended "rugged" operating environment capabilities - and even notebooks SSDs come with encryption - it's the availability of fast destructive data purge which differentiates "truly secure" SSDs which can be deployed in sensitive applications.

Who makes these SSDs? How do they work? And what are the characteristics and limitations of the various methods used? Click on the link above to find out more in my special article / directory about fast purge SSDs.

storage search banner

1.0" SSDs 1.8" SSDs 2.5" SSDs 3.5" SSDs rackmount SSDs PCIe SSDs SATA SSDs
SSDs all flash SSDs hybrid drives flash memory RAM SSDs SAS SSDs Fibre-Channel SSDs is published by ACSL