Typically, companies are expected to show documented policies on retention and protection of data as well as destruction at the end of the retention period and audit trails. Companies may also need to defend the quality of their system to show that necessary steps were taken to ensure necessary security, fault tolerance, and controls.
Other financial regulations and organizations that deal with archiving policies include the Financial Industry Regulatory Authority, the Securities and Exchange Commission, and the Gramm-Leach-Bliley Act. Each deals with various parts of a company's financial records, stock trading, banking, and investments, with different requirements for disclosure, records retention, and audits.
HIPAA and health records
The Health Insurance Portability and Accountability Act (HIPAA) requires, among many other things, that employee health records (and customer health records, if a company provides health services) be retained securely for a prescribed period and then disposed of securely.
Retention periods vary from two years to seven, depending on state as well as federal requirements and the types of records; for example, records of minors may need to be retained until the minors are 21. HIPAA requires that companies be able to demonstrate that records are secure -- and that they should be capable of determining whether records have been accessed in the event of a data leak.
The new Hitech Act, part of the 2009 economic stimulus package passed by Congress, offers incentives to use electronic health records (EHR) and will eventually reduce Medicare payments to doctors and physicians groups that don't use EHR. This means that in the long term, virtually all health organizations will be handling vast amounts of electronic data and will need to archive and protect that data.
PCI compliance and archiving
The Payment Card Industry archiving requirements revolve around security rather than retention periods -- data must be stored securely, in encrypted form. This includes data stored in online databases, data stored on tape or other removable media, as well as data transmitted over the Internet. Database access logs and other records of transactions must be stored separately to enable tracking and auditing of data access.
In addition to requiring encryption and other security measures, some states require notification of data breaches to all potentially affected customers, making it essential to track data breaches and to be able to identify all customer records contained in specific archives, tape backups, or other systems that could be accessed or lost.
Read more about how manage your archiving in InfoWorld's free PDF report, "Archiving Deep Dive," including:
- Vertical industry compliance
- Regulatory overlaps and conflicts
- The infrastructure of archiving
- Building an information lifecycle management strategy
- The right archiving strategy for you
This article, "Build archiving systems to meet compliance demands," was originally published at InfoWorld.com. Follow the latest developments in information management at InfoWorld.com.