Legal Requirements to Archive Database Data
The corporate accounting scandals of the past few years have caused an onslaught of new laws to be written. These laws place regulations on how businesses are to treat their sensitive, business-critical data. Additionally, older laws that have been on the books are being enforced more rigorously than in the past. Basically, government regulations are being adopted to ensure that corporations are "doing the right thing" with their data.
The number one driver of data management initiatives is government regulations. The growing number of regulations and the need for organizations to be in compliance is driving data retention and extending the length of time that data must be retained. Regulations such as the Sarbanes-Oxley Act, HIPAA and BASEL II are some of the laws governing how long data must be retained. But this is just the tip of the iceberg. Industry analysts have estimated that there are over 150 federal and state laws that dictate how long data must be retained.
Many of these laws greatly expand the duration over which data must be retained. Until recently, most organizations dealt with mandatory retention periods of only a few years for important business data. And this data was kept around longer mostly to server business purposes and not for legal requirements. But the situation has changed due to the bevy of new regulations at the federal, state, and local levels. Depending on the industry, what was once five or seven year retention periods is now expanding to 20, 30, even 70 years. Today, retention periods are determined almost exclusively by government regulations and not from business needs.
To comply with these laws corporations must re-evaluate their established methods and policies for managing and retaining data. What worked in the past to retain data for a few years will no longer be sufficient over a much longer period.
Perhaps the most significant piece of legislation impacting data governance is the Sarbanes-Oxley Act. Section 802 of this act defines penalties for altering or deleting important business data and documents. Additionally, this legislation supports the records preservation rule defined in the Securities and Exchange Act of 1934 (Rule 240.17a-4). This means that electronic storage media must preserve the records in a non-rewritable, non-erasable format. Clearly, Sarbanes-Oxley requires organizations to implement a robust data retention solution.
But, of course, Sarbanes-Oxley is not the only legislation driving data retention requirements. Indeed, the Association of Corporate Counsel publishes its Model Corporate Records Retention Plan, which establishes guidelines for developing and implementing a records retention program. Additionally, it provides copious examples of the types of data that must be retained. This information is documented in the excellent reference book, Electronic Evidence and Discovery by Lange & Nimsger.
Of course, the exact legal requirements for data retention will vary for each organization based on its business and location. The only overarching truism that can be stated is that more and more data is mandated to be retained for longer and longer durations. As such, businesses will need to become more adept at categorizing data to accurately grade it for its mandated retention period. And then businesses must be capable of retaining and accessing that data in accordance with the appropriate regulations, as required.
The ability to produce retained data upon request is frequently driven by lawsuits. You probably can recall examples of courtroom showdowns on television where truckloads of paper documents were required during the discovery process of the lawsuit. But times have changed. Increasingly, the data required during the discovery process is electronic, not written.
According to published research from Gartner, Inc., "Electronically stored documents are becoming the predominant form of evidence presented in courts of law." As such, we need to take great care with the data stored in our computer systems to preserve and maintain that data for electronic discovery purposes. Gartner goes on to state "Because more litigation is based on evidence that is stored and managed electronically, correct and swift production of that evidence is an important business process."
To wit, the U.S. Supreme Court has approved amendments to the Federal Rules of Civil Procedure (FRCP) concerning discovery of electronically stored information. FRCP Rule 34b states that “A party who produces documents for inspection shall produce them . . . as they are kept in the usual course of business...” So, if the data is stored electronically during the usual course of business, it must be produced electronically. I discussed this in more detail on my Data Management Today blog in the entry titled The Federal Rules of Civil Procedure Are Changing.
As we begin to comply with laws requiring long-term data retention, data archival will become more pervasive. We can’t just keep decades upon decades of data in our production databases. Research conducted by the Enterprise Strategy Group indicates that digital archive capacity will increase nearly tenfold between 2005 and 2010. Total worldwide digital archive capacity in the commercial and government sectors will grow from about 2,500 petabytes in 2005 to more than 27,000 petabytes by 2010. And they state that the major factors driving this growth will be regulatory compliance, corporate governance, litigation support, records management, and data management initiatives.
So, clearly organizations will be retaining more data over longer periods of time. And this will create the need for new policies, procedures, methodologies, and software to support storage, management and access of archived data.
Wise organizations have already begun planning their data archival and retention plans... don't be left behind.
