Government regs taxing on storage resources

Complying with government regulations is taking an increasing toll on IT storage budgets and resources, analysts say.

Businesses are spending a majority of the money earmarked for storage on software and hardware that lets them comply with the thousands of rules and regulations enacted by federal and state legislative bodies.

“It’s the only thing that’s driving customers to buy anything this year, because it’s mandated that they spend money,” says Jamie Gruener, senior analyst for The Yankee Group.

Spending on hardware, software and services related to storage compliance will exceed US$6 billion over the next four years, according to a recent Enterprise Storage Group report.

Mark Moroses, senior director of technical services and security officer at Maimonides Medical Center in New York, says the cost of storing compliant data – in his case, diagnostic images and medical records – is increasing dramatically.

“We anticipate increasing our expenditures (for archiving and retaining data),” Moroses says. “Each usage needs to also be evaluated on its own merits, but regulatory need is an important factor.” Moroses has 7 terabytes of data he needs to keep. He says it will increase to 26 terabytes over the next four years.

Rich Banta, senior enterprise systems engineer for St. Vincent Hospital and Health Services in Indianapolis, expects his compliant storage needs will quadruple as a result of the Health Insurance Portability and Accountability Act (HIPAA) rules and other regulations.

“Not only are we regulated by HIPAA, but by the Joint Commission on the Accreditation of Healthcare Organizations and ISO 17799,” Banta says. ISO 17799 is a standard that gives organizations best-practice guidelines for information security.

Whereas many organizations responded to the Sept. 11 terrorist attacks by voluntarily allocating more money to disaster recovery, Gruener says, customers now are compelled to develop methods and plans for archiving records the government considers critical. There is the very realistic chance that their businesses will lose money because of data loss or incur fines or penalties imposed by the government, he says.

“There is more of a mandate to be ready for compliance than there was for disaster recovery,” Gruener says. “There were no regulations for disaster recovery until some of the compliance regulations like HIPAA mandated them.”

Recently, six firms were fined $8.35 million by the Securities and Exchange Commission (SEC), Massachusetts securities regulators, the National Association of Securities Dealers and the New York Stock Exchange for failing to retain e-mail records or their inability to retrieve records.

The Health and Human Services Office, similarly, threatens organizations with fines of as much as $250,000 and 10 years in jail for intentionally disclosing confidential patient health information.

“The risk of non-compliance is real,” says Peter Gerr, analyst with Enterprise Storage Group. “It’s not an insurance policy like disaster recovery. It requires IT organizations to review what they are doing today and then really understand where they have to spend to close gaps or where they can delay spending.”

Keeping compliant records is big business. Enterprise Software Group says the capacity of storage required for keeping compliant records will increase dramatically over the next three years. The research firm estimates that 376 petabytes of compliant records this year will increase to more than 1,644 petabytes in 2006, a compound annual growth of 64 percent.

Enterprise Software Group says compliant data has three characteristics that contribute to the swelling numbers: Data must be retained for longer periods of time; it must be readily accessible; and it must be capable of being accessed by a number of sources.

Jack Scott, managing partner of Evaluator Group, says that while recently there has been a lot of attention paid to compliant data, the data itself isn’t new. The expenditures are just being shifted to new areas.

“Most of these megabytes and petabytes of storage have been here for years,” Scott says. “All the stuff you are hearing about today is an evolution from records management disciplines and laws that have existed for years.”

Compliant records traditionally have been stored on tape, optical disk, paper or microfiche/microfilm, where they were often difficult if not impossible to retrieve quickly. The records were the domain of records administrators, who were responsible for interpreting the regulations as they pertained to storage and who built audit logs of data accesses and modifications. IT managers only became involved when those records were imaged and the resulting data transferred to tape for archiving.

However, with the advent of Advanced Technology Attachment disk and software approaches to ensuring the quick access, auditability and authenticity of data, IT managers are turning to disk- and software-based approaches for data retention, Scott says.

“It’s an opportunity that is in front of us,” he says. “Mostly this is recognition that there are rules out there that mandate retention periods that the IT community, by and large, has been stiff-arming previously. Now all of a sudden the IT community is becoming aware of the legal rulings under which data must be stored.”

Enterprise Storage Group says compliant data storage will shift from tape to disk fairly quickly. Disk-based storage represents the fastest-growing media segment, growing from 17 petabytes in 2003 to more than an estimated 350 petabytes in 2006. By contrast, tape-based storage will decrease from 75 percent use in 2003 to 64 percent in 2006 as disks take over as the primary archival medium.

It was only two months ago that the SEC realized its guidelines for data storage might be too restrictive. In an interpretive release issued in May of Rule 7a-3&4, the SEC removed any verbiage about the type of medium used. The new release says only that broker-dealers can use a hardware/software combination that prevents the overwriting, erasing or altering of a record during its required retention period.