What do electronic health records, identity theft, the Enron scandal, and the mortgage crisis of 2008 have in common?
The answer is that all of these have contributed to a tsunami wave of new and complex regulations concerning the storage and management of data. Crisis leads to regulation, and in the 21st century we’ve had more than our fair share of both. It’s what keeps CIOs and corporate compliance officers awake at night.
The Need to Protect Personal Data
Nearly 20 years ago, fears about the security of electronic health records led to HIPAA (the Health Insurance Portability and Accountability Act) and the definition of strict rules concerning individually identifiable “Protected Health Information” (PHI). Under HIPAA, unauthorized disclosure can result in fines of up to $50,000. And this concept has now grown to encompass far more than the medical world.
Increasing concerns over credit scores and identity theft have caused the Federal Trade Commission to promulgate regulations to protect all kinds of consumer data—and any other “Personally Identifiable Information” (PII)—from unauthorized use and unauthorized disclosure. These include obligations to keep data accurate and up to date, keep data reliably for as long as it is needed, and to dispose of it properly when no longer needed. Currently, over 80 countries have adopted similar data privacy and security laws, many stronger than in the U.S.
Such regulations are even tougher where credit cards are concerned—which affects nearly all businesses. PCI (Payment Card Industry) standards require that cardholder data storage and retention time must be kept to the minimum necessary to meet specific business, legal and regulatory needs—and not any longer than that. This must be determined precisely and backed up by rigorous data retention and disposal policies. In addition to other potential penalties, failing to comply with these requirements can result in fines of up to $100,000 per month. And for the banking and financial services industry, the Gramm-Leach-Bliley (GLB) Act extends these kinds of strict protections to any other sort of personal financial data.
Basically, no matter what kind of business or industry you’re in, you are likely to be affected by a multitude of such regulations concerning data privacy, security, accuracy, and retention requirements.
The Need to Manage and Protect All Your Data
After the Enron and Worldcom scandals—and the technology crash of 2001—sweeping legislation was enacted to ensure the accuracy and reliability of financial information. The Sarbanes-Oxley (Sox) Act of 2002 threw out standard auditing practices, and it required that all business information ultimately affecting the accounting statements of public companies be carefully related, managed, and tested. “All” such information turns out to encompass practically all data captured in the course of business, as everything is related at some level. In fact, Sarbanes-Oxley requires specific detailed mappings of all the underlying records that ultimately back up each item in the financial statements, and rigorous verification that each of these records is properly managed, approved, preserved, and retained.
Sarbanes-Oxley also prescribes prison sentences of up to 20 years for intentionally altering or destroying critical records. While the Act does not specify the data or documents to which this applies, presumably this could include anything that would be material to a corporate audit, federal investigation, the system of internal controls, or the accuracy of financial statements. Furthermore, while the Act prohibits “knowingly” altering or destroying data and documents, if information turns out to be critical it might be hard to prove that its deletion or modification happened “innocently” as part of standard procedures.
The Need to Access Past and Present Data Whenever Required
Part of Sarbanes-Oxley is the requirement that all data needed for audit and risk testing is immediately available and accessible—even relevant data that is no longer actively being processed. To comply with this, you need to know where all your past and present data is located—and how it is related.
You also need to be able to produce such data on demand, for either internal or external compliance audits. Saying the data is stored somewhere in that stack of backup tapes in the warehouse isn’t going to be good enough. Nor is a plea that it’s hard to access data stored in antiquated IT applications. In fact, that turns out to be completely the wrong way to look at it. Gone are the days when you worry mostly about the annual financial or regulatory audit. Sarbanes-Oxley requires that you demonstrate a continual set of reliable recordkeeping, auditing, and risk-testing processes.
While all public companies are subject to Sarbanes-Oxley, it gets even harder if you’re in the banking and financial services industries. After the mortgage crisis and stock market crash of 2008, unprecedented regulations were enacted in the form of the Dodd-Frank Act, Volcker rule, Basel III reforms and others. Now financial institutions not only have to protect personal information and financial data—and continually test that their recordkeeping is accurate and reliable—but now have to prove that they proactively manage their financial stability. This includes continual identification and analysis of where risks might occur, and rigorous financial risk testing. Like Sarbanes-Oxley, whatever data is relevant must be easily located and accessible. But the data needed for Dodd Frank compliance is less predictable and more likely to involve analysis into the past. This isn’t easy and can be very expensive. One recent testimony before Congress, in fact, reported that Dodd-Frank alone had increased compliance costs five-fold for a small credit union.
Furthermore, the impact of Dodd-Frank is not limited to the financial industry. Interestingly, it also contains provisions that affect the costs and related risk management for financial transactions in the Energy and other industries.
Staying Awake at Night
Taken separately and together, this sweeping set of new regulations force a huge change in the way data is stored, managed, and archived. Trying to comply using existing processes and systems can be extremely expensive, if not impossible. This is no doubt why, in a recent survey, 48% of CIOs and compliance officers felt that the likelihood of a compliance failure was “high” or “very high” in their organization.
What’s more, a full 65% of those surveyed felt that the impact of such compliance failure would be “high” or “very high.” That’s a little scary, to say the least. An even more recent survey reported a major perceived trend for CIOs and compliance officers to be subject to increasing personal legal liability for compliance failures. For many, that’s scary on steroids.
But, with all this in mind, there’s good news to be shared as well. In our next blog, we’ll show you how the major issues identified here can be addressed with the proper kinds of processes and technology. Specifically, we’ll analyze how EMC’s InfoArchive can provide the right foundation for managing and protecting personal and business data, knowing where all your data is and how it relates, and being able to access both current and past data on demand.
 Anderson, Heather, Credit Union Times, September 17, 2015, https://www.cutimes.com/2015/09/17/dodd-frank-increases-compliance-costs-five-fold-ea.
 PricewaterhouseCoopers and Compliance Week, Survey on Corporate Compliance Practices, as reported in Curran, Chris, CIO Dashboard, July 7, 2011, https://www.ciodashboard.com/risk/cios-role-compliance/.
 Thomson-Reuters, Cost of Compliance 2015, as reported in Mont, Joe, Compliance Week, May 13, 2015, https://www.complianceweek.com/blogs/the-filing-cabinet/survey-overloaded-ccos-expect-increased-personal-liability#.Vfx9wJfG8g6.