What are the legal regulations covering the type of storage system,
backup and disaster recovery and encryption mandated for companies operating in
the US? This article answers those questions and is a sound starting point for
anyone having the duty of care and responsibility for their corporate data.
Because regulations change so quickly it's worth considering the impact of
these best practises on your own organisation even if you think you are
currently outside the scope of these laws. That will reduce the level of panic
when they creep up on you.|
Security Regulations, and How they Impact Storage Systems|
regulations have emerged in recent years on privacy and security issues designed
to safeguard consumer information and prevent corporate abuses. This legislation
is having a strong impact on storage system design and administration.
The laws are complex and sometimes intentionally vague to allow for
new technology developments. Some of the regulations demand stiff fines and jail
time for offending executives. CEOs and Board members are turning to storage
managers, therefore, to secure an ever growing silo of consumer information and
corporate documents. This article gives an overview of the regulations and
describes the challenges facing the storage industry and storage managers.
Some of the more important regulations that have gone into effect
Information Portability and Accountability Act (HIPAA)
- Health Information Portability and Accountability Act (HIPAA)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
- Sarbanes-Oxley Act (SBA)
- SEC Rule 17a
This legislation improves health care by putting medical records
online, while also protecting patient privacy. Originally enacted in 1996, the
privacy regulations are in effect now, and security regulation enforcement
begins in 2005.
The privacy requirements concern non-disclosure of individually
identifiable patient information, either by name, address, relative's names,
etc. Security regulations specify the administrative standards must cover:
Medical emergencies demand fast response to online queries. The law
does not specify the storage technology but makes it clear that organizations of
all sizes must do whatever it takes to secure private information. Although data
encryption was in the proposed security regulations, it was dropped from the
final version. Hospitals must store patient's medical records from birth to age
21, and then can reduce the data retention to 5 years. The complete data
retention requirements are:
- Individual user authentication
- Access controls
- Audit trails
- Physical security and disaster recovery
- Protection of remote access points (for example, every PC in the hospital)
- Secure external electronic communications
- Software discipline
- System assessment
- Medical Records
- Child records - birth to 21 years of age
- Adult records 5 years, continuing until 2 years after death
- Records of information disclosures - 6 years
- Compliance standards, implementations, policies, procedures - 6 years
The need for fast response to queries in medical diagnostic and
insurance can today only be met by magnetic storage rather than tape or optical
disk. A disaster that destroys or corrupts all of a hospital's online records
puts patients into immediate danger and could close down the business. A
geographically separated, secondary synchronized data center should be
considered. Data encryption at the source is probably the best way to protect
the privacy of patients.
Personal Information Protection and Electronic Documents Act
Enacted by the Canadian government in 2000 and in full effect in 2004,
this act is unique because it follows a national privacy standard: the Canadian
Standards Association (CSA) Model Code for the Protection of Personal
Information. The act covers personal privacy, electronic documents and
electronic signatures, and applies to all personal information collected, used
or disclosed in commercial activity. Courts can order offending companies to
change their methods, and victims of unauthorized disclosure can sue for damages
The organization must obtain the
individual's consent before disclosing personal information to any third party.
Well-planned and documented privacy policies must be known and followed within
the company. The act requires "personal information shall be protected by
security safeguards appropriate to the sensitivity of the information."
Corresponding layers of security go up to and including data encryption at the
source. Data must be retrievable on demand by customer or law enforcement, and
retained only as long as required by law.
Electronic documents must be stored in the original format, or at
least in a format that does not change the information. (Encryption is allowed.)
The retrieved information must be readable or understandable by any authorized
person. The document must retain information about points of origin,
destinations, dates and times.
Storage managers must work closely with operations managers to
thoroughly understand the classes of information and must determine the
appropriate levels of security and zoning criteria. Encryption on the disk is
encouraged, and encryption at the source may be justified. For fast Web-based
secure applications, encryption appliances might improve response time. Storage
managers must work with Legal departments to determine data retention periods
defined under various laws. Destroying bad disks and old equipment is also
important, as the Bank of Montreal found out after old computers containing
hundreds of confidential customer files went up for auction on eBay.
Gramm-Leach-Bliley Financial Services Modernization Act (GLBA)
Enacted by the U.S. Federal government in 1999, this act applies to a
wide range of financial, credit, insurance and many more types of money-handling
institutions. It prohibits disclosing customer information to non-affiliated
third-party organizations and protects the integrity of the information. The
federal agencies have published the "Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (12 CFR)" to assist
executives in developing security standards.
Company executives must:
||Participate in company-wide
||Manage risk, including
implementing some or all of the following, as appropriate to the particular
institution. The law recognizes not all may apply to some cases.
- Data access controls
- Physical access controls
- Encryption while in transit on networks or at rest in storage, or both
- Monitor system modifications to assure security
- Dual control procedures (two authorized persons needed to access),
segregation of duties, and employee background checks
- Monitoring systems to detect actual or attempted attacks or intrusions into
- Response procedures to be taken after an actual or attempted attack or
intrusion · Protection against environmental hazards or technological
||Train the staff in security
||Regularly test security systems|
||Maintain vigilance against
future methods of attack or intrusion|
||Oversee third-party providers to assure security|
Implementing all of these methods, although not necessarily required,
would put a strong, safe storage system in place. Storage managers will be
called upon for risk assessment and standards.
"1386" went into effect in July 2003 and applies to
companies doing business in California and all companies holding personal
information of California residents. The intent is that anyone whose personal
information may have been disclosed to unauthorized persons can quickly begin
taking countermeasures against identity theft, misuse of information, etc.
Victims can bring civil suit for damages.
The organization must disclose, in specified ways, any security breach
in which an unauthorized person might have acquired unencrypted personal
information. The law states "
"personal information" means
an individual's first name or first initial and last name in combination with
any one or more of the following data elements, when either the name or the data
elements are not encrypted:
- Social security number.
- Driver's license number or California Identification Card number.
- Account number, credit or debit card number, in combination with any
required security code, access code, or password that would permit access to an
individual's financial account."
There is no definition of the level of encryption, but this clearly
implies encryption at the source. The company must have procedures to identify
and contact persons affected, therefore storage managers need to be able to
determine the boundaries of the compromised area.
Act (SOA, Sox)
Enacted by the US Federal Government in 2002 in response to corporate
financial scandals, this act applies to all publicly held companies in the U.S.
that have more than $75 million equity market capitalization and that report
quarterly to the Securities and Exchange Commission (SEC). It covers financial
reporting to the SEC, auditing practices and associated document retention. By
holding CEOs and CFOs directly responsible for the accuracy of financial
reports, this act has had a major effect on U.S. corporations and has already
sent one executive to jail.
The intent is to preserve all records of business dealings and
financial audits for long enough to allow detailed investigations of
questionable business activities.
The company must save all documentation used to create financial
reports and audits. Sarbanes-Oxley defines documentation as:
The law requires risk assessment, either across the entire company, or
by a summation of narrower risk assessments on individual transactions and
operations within the company. Storage risk assessment is part of the overall
- "Relevant records such as workpapers
- Documents that form the basis of an audit or review
- Other documents
- Records (including electronic records) which are created, sent, or received
in connection with an audit or review and contain conclusions, opinions,
analyses, or financial data relating to such an audit or review"
The document retention period is 7 years and recovery time is limited
to a very few days following a federal request. Because of the legal importance
of these documents, Write-Once-Read-Many (WORM) magnetic disk storage should be
considered. Security is vital to protect against malicious use of this gold mine
of company information.
The storage manager should meet with operations managers to determine
what documents of these types exist in the company and the magnitude of the
storage required, as well as to arrange for automatic collection and routing to
A document management system that precisely identifies, queries, and
retrieves sets of documents is necessary to quickly respond to requests from
federal agencies and to maintain operational requirements. Secure,
geographically separated secondary storage on magnetic disk would provide
disaster recovery while maintaining document recovery time.
SEC Rule 17a
The SEC has expanded Rule 17a that covers exchange member and
brokerage house record keeping. Rule 17a now includes all forms of internal and
external electronic communication, such as e-mails, instant messages, order
tickets, approvals and more. There seems to be nothing in writing from the SEC
that extends e-mail and IM retention to companies covered under Sarbanes-Oxley,
but some experts advise all Sarbanes-Oxley companies to observe the electronic
message requirements of Rule 17a. The major U.S. stock exchanges have
established standards based on this rule.
Brokerage houses have always had to quickly and accurately verify
records of a large volume of trading orders. This act is explicit in the demand
for "non-rewritable, non-erasable" storage of all documents. This
makes WORM storage mandatory. Each document must be stored in duplicate, with
time stamps and showing the origin and destination. Duplicates must be kept
off-site. Data retention is for 6 years, with the first 2 years in fast storage.
The company must "immediately" provide a copy of any document upon SEC
The effect is to mandate WORM magnetic disk, at least for the first 2
years, and an excellent document retrieval system. The fast retrieval time and
off-site backup requirements imply a separate, synchronized storage center. If
the brokerage or trading house is also covered by Sarbanes-Oxley, storage design
must target the most demanding requirements of both Sarbanes-Oxley and SEC 17a.
We see common requirements in many of these regulations.
Administrative work for developing and implementing storage standards is rising.
Encryption, WORM storage, synchronized alternate storage, and indexed document
retrieval are becoming standard. These laws reflect the best practices of the
storage industry at the time they were drafted, and they raise the general
standards of data security and integrity. The volume of information in secured
storage will continue to rise. The storage manager must work more closely with
operations managers to minimize the volume by eliminating redundant occurrences
of personal data items on multiple forms and records. Storage managers need to
continue educating themselves in the next waves of technologies to keep their
companies ahead of the growing legislative demands.