Sarbanes-Oxley will require a message-storage rethink

Regulatory compliance calls for better storage and retrieval of e-mail and other electronic messaging

The November 2004 compliance deadline for Section 404 of Sarbanes-Oxley is fast approaching. By that time, companies with valuations of $75 million or more must prove that their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data.

Because there are no real guidelines for Section 404 compliance audit trails, companies have begun taking a broad approach to data storage. According to Dave Donelan, senior director for industry and compliance solutions at EMC, a lot of new data types are falling subject to Section 404. “It’s not just financial records, it is e-mail, voice mail, and video,” Donelan told me.

Traditionally, government regulations don’t specify exactly what a company’s policy should be, but they do specify that if there is a policy in place, that policy must be adhered to. The problem is that, even if a company implements a policy stating that it does not retain e-mail, not every organization will be capable of enforcing such a policy.

If compliance auditors find one or two employees who have saved e-mail on their notebooks, there’s a good chance that the auditors will want to look at everybody’s PC. As a result, like it or not, companies will need to retain e-mail as a matter of policy.

On average, each user generates roughly 10MB of e-mail data per day, and that figure is forecast to increase to 44MB per day by next year, according to AMR Research.

For all compliance records combined, the total annual storage figure per company is expected to grow from its current 300 petabytes per year to as much as 1.6 exabytes by 2006. That’s almost 2 billion gigabytes of data per enterprise, per year.

Still to come is the deadline for compliance with Section 409, which talks about disclosure in real time. The demands of e-mail storage are already mounting. Will instant messaging be next?

Ultimately, Sarbanes-Oxley will require a major rethink on messaging. How will all of that data be stored — and, more importantly, accessed — in real time? If you don’t think information retrieval is a serious issue, let me remind you that last March the Securities and Exchange Commission fined Bank of America $10 million for its inability to respond to a disclosure request in a reasonable time frame.

The demands of regulatory compliance are going to result in a great deal of new spending, that much is for sure. Ken Coleman, CEO and chairman of ITM Software, a company that inventories IT assets for compliance, says the additional audit alone will generate anywhere from $300,000 to $500,000 in costs for the average billion-dollar company. In addition, most industry analysts estimate that roughly half of all enterprises will need to implement new systems for record and e-mail management.

EMC’s offering manages policy and compliance regulations for all message types, storing them in a knowledge-management system. Others say what’s needed now for message stores are relational databases, so that e-mails can be sliced and diced intelligently. But then, will companies need to hire more DBAs just to manage e-mail storage? Still others are talking about XML databases that can store e-mail metadata using keywords.

Are solutions out there? Yes, but many of them haven’t been tested under these new requirements. The truth is, you won’t really know what works until it’s tested under fire. Unfortunately, if it’s true that we learn from our mistakes and not from our successes, there are rocky roads ahead. i

Copyright © 2004 IDG Communications, Inc.

How to choose a low-code development platform