NEW YORK—Corporate IT managers have their work cut out for them trying to get their data-storage practices in line with myriad corporate regulations.
Three IT professionals at financial services companies told a packed crowd at the Storage Decisions Conference here this week how they are perplexed and overwhelmed by the spate of new regulations that require their companies to make daily judgments on which data to keep and which to get rid of.
Jay Cohen, chief compliance officer at New York-based The MONY Group Inc., said he spends a great deal of time with his companys CIO and chief financial officer trying to balance regulatory compliance demands.
He said he sees increasing pressure from regulators, who are making more frequent requests for records; from auditors looking to ensure the privacy and security of customer data; and from new and evolving rules regarding e-mail, money laundering and the Sarbanes-Oxley Act.
"There isnt a single aspect of our business that doesnt touch on compliance and technology," Cohen said.
"From my perspective, the expectations of regulators, courts and the public have grown tremendously," Cohen said. "They expect that we can provide a particular piece of information [in an instant], and that we will be able to provide it 10 years from now. The expectations are enormous."
The panelists agreed that one essential way to spread the work of deciding which data to archive and which to trash is to make everyone in a company responsible—from the CEO down to the mail-room attendant—for implementing some aspect of the companys data-retention policy.
"Its been a huge change—everyone has been told that everyone is responsible for compliance," said Shaun Mahoney, senior storage engineer at New York-based Citigroup. "Everyone needs to know the regulations, everyone needs to know who their records management officer is, everyone needs training."
Randy Wilson, vice president of IT at Boston-based Essex Investment Management, works at a smaller company than either Cohen or Mahoney does, but his problems with getting users to understand the retention requirements are no less difficult.
"Retrievability [of old e-mail messages] is the easiest part of regulatory compliance," Wilson said. "Its educating the users, so they understand what we need them to do, that is difficult."
IT managers attending the discussion asked for guidance on deciding the difference between records and data. Data is just a stream of zeros and ones, one audience member said, while regulations require the retention of records, which in some cases mandate that the application logic be applied to raw data to make it useful.
Cohen and Mahoney commiserated with the questioners. Mahoney pointed out that he tries to make sense of regulations but that there are 15,000 regulations covering the financial services industry.
"You have to make the best effort," Mahoney said. "You have to decide based on what you feel is a comfortable risk that your company can live with."
New York Attorney General Elliot Spitzer has filed a series of lawsuits against Wall Street companies for failing to comply with e-mail retention regulations. That has been a wake-up call for his industry, Citigroups Mahoney said.
"Nobody wants to open The Wall Street Journal and see the name of their firm in the same sentence with Elliot Spitzer," Mahoney said.