Data and data regulation growing at break-neck speed
We are living in an environment of exponential growth in business and personal data. IDC* and other market research firms continue to project mind-boggling trends of growth in digital data to zettabytes (1 zettabyte=1 billion terabytes!). Concurrently, government regulation has been expanding and growing post-haste for the past three decades, and this trend is not expected to abate any time soon.
Government regulations vary among countries and fields of business. Here are a few examples:
- Australia: Australia’s Privacy Act 1988, Australia Corporations Act s286 and s262A
- Canada: PIPEDA, ISO 19600:2014, GDPR
- Germany: Federal Data Protection Act 2017, GDPR, GoBD, HGB and AO
- Unites States: Sarbanes–Oxley, FISMA, FINRA, HIPAA, FRCP, NIST
Organizations, large and small, are compelled to collect, manage and make use of growing amounts of data to stay competitive while simultaneously complying with increasing government regulation around data management. Businesses who fail to deliver on both fronts can face serious consequences: from losing out to competition and jeopardizing their growth (or even survival prospects) to getting crippling fines from regulators if they fail to comply.
Being successful on both those fronts is no easy feat. On the one hand, businesses need data to make the most informed decisions about their customers when it comes to product development, sales, marketing and support. The more data gets collected, however, the more exposed the organization becomes to regulatory (and data loss) challenges and risks. Add to this balancing act/challenge, the alarming increase in data loss and theft from cybersecurity threats and it is no wonder that data governance and compliance is now a top agenda item for board members and management teams worldwide.
Before going forward, it would be useful to briefly define data compliance and to look back at the most significant data compliance regulation milestones in the last three decades:
What is Data Compliance Regulation?
Data compliance comprises a set of ongoing processes that ensure adherence to both organizational rules and to legal and regulatory requirements.Especially when it comes to the latter, most compliance regulation requires data to be well-preserved, secure, traceable, searchable and kept in original form. In other words, data archiving that must be legally defensible in-front of a regulator or even an external auditor. We outline below three noteworthy regulatory milestones that have taken place in the last thirty years:
Data Regulation Milestone 1: US Healthcare
Let’s start with healthcare in the United States where protecting personal health information (PHI) came into law in 1996 to help regulate and protect the data storage and transfer of patient information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule whereby health organizations (including veterinarians!) must securely and privately store personal health information to guard against potential threats (of loss or leakage) to these highly sensitive datasets, both in transit and during storage. The HIPAA Security Rule: The rule focused on the administrative procedures, physical safeguards and technical safeguards required to protect access to personal health information. This regulation came into effect to facilitate medical insurance portability for US employees and to also ensure security and confidentiality of patient information in the US healthcare system.
Link to OCR Settlement
February 7, 2019
Cottage Health Settles Potential Violations of HIPAA Rules for $3 Million
May 6, 2019
Touchstone Medical Imaging
Tennessee Diagnostic Medical Imaging Services Company Pays $3,000,000 to Settle Breach Exposing Over 300,000 Patients’ Protected Health Information
May 23, 2019
Indiana Medical Records
Indiana Medical Records Service Pays $100,000 to Settle HIPAA Breach – May 23, 2019
Data Regulation Milestone 2: US Financial Institutions
While data retention regulation for many types of financial institutions has been in place since the 1930’s, it is only in early 2000’s, in the wake of several high-profile scandals, such as Enron and Tyco, that regulation expanded and began to be taken a lot more seriously. The Sarbanes-Oxley Act (also known as Corporate and Auditing Accountability and Responsibility Act) was put into law in 2003 to help protect shareholders, employees and the public from accounting errors and fraudulent financial practices. This act, thus, covers retention, production, responsibility and internal control of the organization records. Failure to do so can result in multi-million dollar fines or imprisonment. Since then, financial data regulation has really taken the archiving industry to the size, importance and relevance that it is today.
The financial regulators (e.g SEC and FINRA) have taken the data governance requirements to new heights by requiring third party storage and archiving (this means, for example, that the email provider cannot be the same as the email archiving vendor) and by expanding the scope and scale of data management like never before. It is very interesting to note the growth of the compliance function overall, and especially in the Finance industry since 2003 and especially after the 2008 financial crisis.
Data Regulation Milestone 3: EU Personal Data
The latest regulatory milestone is personal data protection, made famous (or infamous) by the EU when General Data Protection Regulation (GDPR) came into effect more than one year ago, in April 2018. The EU wanted to give its citizens more control over their personal data. Using the well-known CIA framework (Confidentiality, Integrity and Availability) for data, GDPR dictates that all companies who want to operate in the EU (local or foreign entities) need to follow strict procedures when it comes to preserving and utilizing their users’ personal information. They also defined personal data broadly, as anything that contributes in identifying the user (email, IP address, physical address, gender, etc.). Don’t comply and risk facing massive fines: News from multi-million-euro fines imposed on companies like Google, Facebook, Marriott and British Airways have hit global news headlines in the recent months.
GDPR has been taking form for the past several years in Brussels (EU headquarters), in part due to growing alarm over how tech companies have been using- some say abusing- personal data to maximize profit while exposing massive reams of personal data to multiple parties (not just the company collecting the data). While the EU has been the trailblazer when it comes to data protection regulation other countries (and even some states in the US) are starting to follow suit. Read more about GDPR and the role of the DPO here.
We covered the above three areas of data compliance regulation, there are other industries that have their share of such regulation like consumer goods, manufacturing and legal. In Japan, for example, any company that is involved in importing or exporting (and that is most Japanese companies) is required by law to preserve email communications for up to 7 years. It is also important to note that Email continues to be a key target for investigation/discovery requests as part of legal and regulatory investigations.
The Need for Smart Compliance
It is abundantly-and painfully-clear that most businesses have no choice but to comply with these regulations or face grave risks and penalties. They also have to remain competitive by maximizing the utility of data collected while deploying effective and affordable compliance tools and processes. In other words, the organization’s data compliance and archiving practices have to be both legally defensible and cost-effective.
What should your organization approach to cater to those challenges? It is imperative to find and deploy modern data compliance and archiving products around your data and especially around email and email applications. The compliance and archiving products that you deploy must deliver on your data governance and regulatory requirements, yet most also be cost effective and highly scalable. In short, the solution must have the following five essential capabilities:
- Data Preservation: It is highly preferable that data is stored in a 3rd party cloud that is not linked to production data and is always readable and searchable. Also, retention policies should be customized depending on the regulatory requirements of the country and/or the industry.
- Data Integrity and Security: Data that is stored/archived cannot be re-written or erased. A tamper-proof copy of every email sent or received should be archived in real-time and is only accessible through designated role based permissions. Data should also be encrypted both in transit and at rest with various access levels available to ensure that the archived data is only available to designated users only based on their role in the organization.
- Data Traceability: A clear chain of custody* of the data archive should be conserved, where all instances of data access or actions are preserved in an audit log that is accessible to the archive administrators. Establishing “chain of custody” is vital to validate the integrity of the data.
- Data Searchability: Organizations should be able to sift through large data sets when and as needed. The archived data should be fully indexed and searchable with multiple search criteria available to make it quite easy for legal and compliance officers to search through the organization emails and files. These highly paid officers should be provided with compliance tools so they can efficiently conduct what is called eDiscovery searches in the case of internal audits, laws suits or regulator queries/investigations. In addition to search and eDiscovery, the archived data needs to be easily retrieved and downloaded when and as required.
- Scale and Cost Effectiveness: The platform of choice should ideally include backup, archiving, analytics and search/eDiscovery with scaling is built-in. Cloud-based solutions tend to scale much better. It is also recommended to work with vendors who offer per-user pricing with unlimited storage and retention thus removing the stress of budgeting and projecting costs for the future. As for deployments for larger organizations or through service providers, rest-APIs are key for tighter integration into existing provisioning and management systems.
Bottom Line: Data archiving and compliance practices should be legally defensible and should pass internal, external audits or legal queries with relative ease. At the same time, archiving massive amounts of data to deliver regulatory compliance and business continuity should be scalable and cost effective.
Dropsuite’s cloud-based archiving platform helps organizations achieve both those goals while reducing the complexity for its users by delivering on a simple yet feature-packed user experience. Dropsuite’s cloud-based email archiving solution helps any organization efficiently archive, store, safeguard, manage, and discover data from most email systems, Microsoft Exchange Online (Office 365 including OneDrive, SharePoint and Teams/Groups), Hosted Exchange, G Suite Gmail, and IMAP or POP protocols. For more information, view Email Archiving by Dropsuite.
*By 2025, IDC says worldwide data will grow 61% to 175 zettabytes, with as much of the data residing in the cloud as in data centers.
**Chain of Custody (CoC) Definition: CoC is the process used to maintain and document the chronological history of the handling, including the transfer of ownership, of any arbitrary digital file from its creation to a final state version” (US National Digital Stewardship Alliance)