Storage Admins Fear Regs

NEW YORK -- Several storage administrators at financial services companies huddled together at an Information Management Network conference here today to debate how to best tackle new regulations governing data protection and security.

The regulations -- some new and others reinterpretations of old statutes -- are so mind-boggling many storage administrators are beginning to wonder whether some kind of malpractice insurance might be the order of the day.

"There is no certification for the IT department that protects us against these new legal issues," says a worried database administrator at a major New York bank, who requested anonymity. "If my boss tells me to shred a whole bunch of emails, that is what I am supposed to do... But I don't want to end up in court fighting against my CEO."

Last December, five top Wall Street brokerage firms were fined a total of $8.25 million for not preserving email communications as required under Securities and Exchange Commission (SEC) rules. Since then, storage policies have become an extremely sensitive issue for the financial industry.

The SEC isn't the only regulatory agency demanding that more data be captured, reported, and retained. Nasdaq, the Bank for International Settlements, and the Department of Homeland Security are drafting compliance legislation and rules faster than most people can read them. The goal, of course, is self-serving: To restore confidence in the markets."The regulations are coming out, but they are not in tune with IT reality," says Gene Piatigorski, storage manager at New York Life Insurance. "At this point, I feel like going and opening a dry cleaners."

Piatigorski says he needs something like a CliffsNotes guide that condenses all the new regulations into an understandable format. "I'm not a lawyer," he says. "I don't understand 99 percent of what it means."

Specifically, Piatigorski says he is struggling with regulations that address email archiving. "I don't know how to determine which part to keep and which to ditch."

Industry specialists say email and document retention management is more a policy-enforcement problem than a technical one. "All data needs to be classified and handled accordingly," says John Butler, co-founder of LiveVault Corp., which develops software that backs up data to third-party outsourcers.

Butler argues that hiring an expert or outsourcing the task to a company like Iron Mountain Inc., a data storage hosting firm, can help mitigate the risk. "You can't outsource the legal responsibility, but it is colossally impractical to manage this task yourself," he says. [Ed. note: Iron Mountain is a reseller of LiveVault's software.]Not everyone agrees outsourcing is the best way to go. Mary Kirwan, senior director at Kasten Chase Applied Research Ltd.