The thicket of federal, state, and industry-specific regulations is enormously complex. Most organizations fail to comply with some rules, often due to policy conflicts. The best way for companies to navigate the maze and avoid penalties is to show a "best effort" -- a serious, honest attempt to ensure that records are properly and securely archived in accordance with the best possible understanding of regulations.
For IT, compliance begins with determining the systems and processes necessary to archive the entire gamut of pertinent data -- including email, IMs, files from office suites, scans of documents, photos, faxes, audio files, videos, log files, and more.
[ Get the full scoop on complying efficiently with archive requirements in the InfoWorld "Archiving Deep Dive" PDF special report. | Better manage your company's information overload with our Enterprise Data Explosion newsletter. ]
These efforts go beyond merely storing information. Data must be archived securely, in an auditable framework, and managed over its lifetime, which can range from a few months to 20 years or more, depending on the type of data and the regulations that apply. Then it must be deleted securely when no longer required.
The liability of lax compliance can be enormous. No company wants to lose a lawsuit because it was unable to respond to legal discovery requirements or face enormous fines because it failed to observe records-keeping or security rules. Both management and IT need to be aware of the archiving requirements for their industry. And IT needs an end-to-end strategy to meet the archiving challenge.
Key compliance regulations and what they mandate
Compliance isn't easy. In some instances, regulatory requirements for archiving overlap or even conflict with each other. For example, one regulation may require that patient records be archived for seven years and then securely disposed of, while another may require that records be held for the lifetime of a patient.
No wonder many companies lean toward "saving everything" by default. The Federal Rules of Civil Procedure require that companies maintain and produce on demand not only paper records but any and all electronically stored information during the discovery phase of litigation. Failing to maintain archives of email and other files may result not only in large financial penalties, but also expose IT staff to fines or even jail time.
To minimize risk, management and IT need to collaborate and create a framework that can ensure proper procedures are followed and can adapt as regulations change. Here's a quick review of where several of the most prominent regulations stand today.
Sarbanes-Oxley and other financial regulations
The Sarbanes-Oxley Act of 2002 is a federal law enacted in the wake of several major corporate accounting scandals, notably the Enron fiasco. Sarbanes-Oxley sets new or enhanced standards for accounting firms, public companies, and corporate management. The infamous Sarbanes-Oxley Section 802, which pertains to records retention, has the greatest applicability to archiving.
Section 802 requires public companies and their accountants to maintain all audit or review documents, including all electronic records, for five years from the end of the fiscal period in which the audit or review was concluded. Because documents must be readable for the five-year period, it's also essential to ensure that document readers or other applications continue to be supported for the full cycle.