Playing by the Rules: A Compliance Checkup

Topics: Govern Information

Are regulations and compliance mandates informing your data backup, recovery and archiving strategy? Failing to play by the rules can be an expensive mistake.


In some situations, ignorance may be bliss. But try explaining to regulators that you don’t understand the rules that govern your business.


Many Wall Street firms probably wish they had known more about Securities and Exchange Commission Rule 17a-4 a few years ago. The then-obscure piece of regulation designates the types of internal records a firm must produce for federal regulators when they come calling in search of evidence.

Then the Feds used another obscure law, the Federal Trade Commission’s Red Flag Rule, to demand access to email archives. As a result, many firms scrambled to find requested files to remain in compliance—and not all of them rose to the occasion.

The end result: Many businesses now a) have written and enforced retention policies and b) index records in their archives for easier recovery.

Raising the Bar—and Vaulting Over It

If the example of Wall Street’s brush with disaster isn’t enough of a wake-up call, consider the fact that failure to comply with the rules and regulations that apply to your business can cost you where it counts the most—your bottom line—in the form of fines, legal fees and a tarnished reputation among your customers.

A flexible archiving strategy and data migration plan can ensure compliance and shield your company from the wrath of regulators. And you’ll likely shrug off a lot of your IT costs as you shed the legacy systems you use only to access data in older formats.

Count on Tape

At the heart of any compliant archive is the storage media used to house data. Although you could employ a mix of media, tape is still number one when it comes to archiving. According to a 2010 Aberdeen Group report, 75 percent of all Best-in-Class and Industry Average organizations still use tape. And with good reason: LTO-5 tape, with native capacity reaching 1.5T, is inexpensive and reliable, and both its identification and access capabilities continue to improve. 

By now, you should know what information is vital to keeping your business up and running smoothly—and where it’s located. If not, familiarize yourself and your employees right away so you can differentiate between active and less active data: what can be sent to “cold storage” until regulators demand it, and what needs to be kept close at hand. Once you’re comfortable with your data needs, you must:

Step 1: Follow the rules. Ignorance may be bliss, but try explaining to regulators that you don’t understand the rules that govern your business. You must know the laws, both federal and state, that apply to your company and the specifics regarding data storage, format, retention and retrieval. For instance:

  • Is your company up to speed on HIPAA 5010, an update of the Health Insurance Portability and Accountability Act, and the implications it might have on how you manage information?
  • If your company has market capitalization of less than $350 million, does your archiving strategy reflect that you are no longer obligated to Sarbanes-Oxley Section 404 (per action by the House Financial Services Committee)?

You’ve got a lot of regulatory ground to cover. Consult with your general counsel and, for local regulations, look to your state bar association for guidance. (Also see the sidebar “Help Wanted: Keeping Up with the Law.“)

Step 2: Institute a backup routine. Make sure there are no gaps. Some companies start off strong but then loosen the reins a bit. And a lot of backups fail because they are interrupted midstream, sometimes because tapes are removed prematurely or a scheduled backup window closes.

Step 3: Formulate a data migration plan. Get your information into the proper formats. That may mean forklifting it out of legacy systems. Then schedule migration of data to readable, retrievable, application-agnostic formats.

Step 4: Ensure retrievability. You’ll want a searchable index of all stored data. Make sure the data is viewable and readily retrievable.

Step 5: Develop retention and disposition schedules. Rule 17a-4 specifies that you must have written and enforceable retention policies in place. Other regulations have similar guidelines. But even if it wasn’t mandated, this is just good policy. Don’t let “expired” data obscure what’s important; keep what you need and dispose of what you don’t.

Step 6: Keep it safe. Protect data on the long and winding road from its generation to the archive and into the hands of those who must access it. You’ll preserve chain of custody and protect your business from costly security breaches.

Step 7:  Securely destroy data. Once your data’s regulatory usefulness has expired, you can’t just toss it in the trash bin and haul it out to the curb. Compliance extends to the grave and beyond, with most regulations requiring that you securely destroy information. Massachusetts 931 says it must be “either redacted, burned, pulverized or shredded.” It also stipulates that electronic media “shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.”  

You’ll also need a place to store those tapes. An offsite vault, run by a trusted partner, will offer a secure, climate-controlled environment.


Iron Mountain Recommends

Team with a partner to ensure that your archives comply with the regulations your business must follow. The collateral benefits will include the ability to:

  • Access backup data quickly and efficiently
  • Review, audit and improve your program continuously
  • Manage media effectively
  • Safeguard data according to thoughtful retention schedules
  • Archive vital data
  • Pull up files quickly in response to regulatory compliance
  • Securely destroy data after retention

Help Wanted: Keeping Up with the Law

Sorting out just how regulations—and their many amendments—might shape your archiving strategy isn’t easy. But help from these reputable legal, government and regulatory expert sources is just a few clicks away:


Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

Carving a Path to Energy-Neutral Technology

Should You Chase the Cloud?

Should It Stay or Should It Go? 10 Steps to Leveraging Data on a Tape Backup System