IBM Helps Companies Push Toward Regulatory Compliance

Spurred by rulings designed to improve corporate accountability, companies are scrambling to comply with an escalating burden of legislative record-keeping requirements — and they are spending millions of dollars on consultants, lawyers, auditors and new technology in the process. Now, IBM has stepped up to the plate with an offering designed to ease the burden of compliance.

The TotalStorage Data Retention 450, announced Thursday, is a storage, server and software retention system that could shift some of that burden to technology instead of people, allowing companies to retain data without alteration throughout its lifetime. Essentially, the product can provide a central point of control to manage growing compliance and data retention needs, according to IBM.

Employees Stretched Thin

Jack Scott, managing partner of The Evaluator Group, told the E-Commerce Times that regulations such as the Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA) add an incremental layer of duties on people who are stretched pretty thin already. Among the data that must be retained are e-mail messages, instant messages, business transactions, contracts and insurance claims.

“Being short on resources, most people will stop, look, study and implement where necessary,” Scott said. “It is very expensive to come into compliance with these regulations, many of which are the result of 9-11 or corporate malfeasance in the last couple of years.

“The amount of data that must be collected and maintained represents under 10 percent of all corporate data,” he added, “but it gets a disproportionate amount of attention because of scare tactics and the once-in-a-blue-moon circumstances where [that data] might be needed. Today, C-level executives go to jail if convicted of changing so much as the date on an e-mail message.”

In particular, the 2002 Sarbanes-Oxley Act Section 404 regulations to enforce accountability affect record-keeping processes at thousands of organizations, large and small.

Big Blue Steps Up

Alan Stuart, chief strategist of IBM compliance and data retention solutions, told the E-Commerce Times: “Customers tell us they don’t have a good grasp of what they need to do with their data. It is not a singular event like Y2K. This is a change to the way we do business. It will be three to five years or longer before companies put in all the processes they need and monitor compliance as a normal course of business.”

“The 450 is a new piece of technology, fitting with [companies’] existing DB2 records manager and Tivoli server,” Scott said, “which uses policy-based rules to store data for a specific time period.” Companies subject to litigation, audit or other inquiries can protect records for the length of the inquiry or for indefinite time periods during investigation. The software also verifies that data is written correctly to help ensure that no modifications or deletions are made after the storage date.

“As regulations change over the years, the customer’s legal department, consultants and auditors bear the responsibility to update their policies. We, as a vendor, also monitor change to ensure we provide technology capabilities as requirements might change,” Stuart noted.

Beyond Technology

Now, IBM claims it has the most comprehensive set of solutions for compliance and data retention, systems software storage and services.

“We’ve been doing information lifecycle management for 30 years,” Stuart said, “but this is the first time we are bringing the full force of IBM together to bring customers this solution. Most issues are not technology problems, they are business problems.”

For example, Section 404 has non-erasability, non-rewritability requirements. That means the regulations tell customers to protect their data, in essence saying, “Do what you should have done in the first place, and now if you don’t we’re going to send you to jail,” Stuart said. “They’re asking companies to put rigor into it.”

For large corporations, the SEC reports that compliance with Section 404 will require more than 12,000 man-hours and an average of US$732,000 for external consulting, software and other vendor charges.

IBM states its new offering, based on open standards, can integrate with content management or archive applications on more than 600 different storage devices. It is expected to become available next month, with costs starting at US$141,600.