The why and what of WORM technology: WORM tape libraries make sense - Tape/Disk/Optical Storage

Computer Technology Review, March, 2003 by Sharon Isaacson

It was not long ago when the most talked about security threats to companies were virus attacks and Internet hackers. We were all on alert for things like the "Melissa" and "I Love You" viruses. Then, just as we began learning how to protect our intellectual property against virus attacks, Enron happened. And the uproar of data integrity began.

In response to the recent series of highly publicized business scandals, all industries are being affected with new regulations on data retention and the type of media on which it is stored. Federal, medical, financial and banking organizations, as well as all public companies, are being forced to implement demanding archival requirements and are penalized if they do not comply with the regulations.

For instance, penalties can include 20-year prison sentences for knowingly altering, concealing or destroying documentation with the intent to impede, obstruct or influence an ongoing or contemplated U.S. federal investigation or bankruptcy proceeding. In other cases, firms are being fined in the neighborhood of $1.65 million for not meeting all regulation guidelines.

In 2002, President Bush signed the Sarbanes-Oxley Act that aims to strengthen accounting oversight and corporate accountability by enhancing disclosure requirements, increasing accounting and auditor regulation, creating new federal crimes and increasing penalties for existing federal crimes.

Similar to other areas of the law, Sarbanes-Oxley embraces the issues developing around the proliferation of electronic evidence. With 93 percent of all business documents created electronically and only 30 percent ever printed to paper, corporations in the last few years have been compelled to address the retention of--and potential liability associated with-- electronic documents and communication. Today's companies save nearly every electronic document and email because it can be stored electronically with relative ease.

With the increase in digital data, email, antiquated files and archival data stored on backup tapes or disks have to be kept for months or years. Case law reveals that preservation of all electronic data and email created in the course of business can come back to help a corporation when litigation ensues.

Section 103 of the Sarbanes Oxley Act requires the Public Company Accounting Oversight Board to require auditors to retain audit workpapers and other materials that support the auditor's conclusions in any audit report for a period of seven years. Some provisions of the Sarbanes-Oxley Act have been implemented by the SEC through rulemaking and require immediate action. The Act requires the SEC to implement significant reforms that affect today's companies.

The SEC has put into place Regulation 17 CFR 240.17a-4, which mandates regulatory archiving of data for finance customers. Also, government agencies are required to archive email for seven years on "unalterable media." The proposed rule would amend Regulation S-X to add Rule 210.2-06, which would require accountants to retain certain documents for a period of five years from the end of the fiscal year in which the audit or review was concluded.

Companies that aren't meeting these new requirements are often waiting until they are caught, then are reactively paying these fines and afterward trying to find ways to meet the new regulations. But trying to meet these new requirements, complete daily backups and manage data growth has proved to be an expensive problem as well.

The healthcare industry is yet another industry that has received stricter data security guidelines. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) adds privacy and security requirements for health information that will be difficult for healthcare enterprises to meet without centralized data archiving. HIPAA promises to significantly impact the IT and healthcare industries by requiring a new, more stringent focus on privacy and security of healthcare information.

The healthcare community traditionally experiences three primary data storage needs: backup/restore, disaster recovery and patient image archiving. As a result, the storage of critical patient data and administrative information was handled departmentally, creating "islands" of disparate data.

The departmental "islands," with their legacy storage systems, will have to be backed up in order to comply with HIPAA. Since most of these archives are less than five years old, discarding them is not an attractive option. The answer that these customers are looking for is to provide a viable alternative to maintaining existing storage while providing HIPAA compliance.

Hospitals especially face tremendous business continuity dilemmas.

* Data backup plan: A documented and routinely updated plan to create and maintain, for a specific period of time, retrievable, exact copies of information.

* Disaster recovery plan: Part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.