The SEC has expanded Rule 17a that covers exchange member and brokerage house record keeping. Rule 17a now includes all forms of internal and external electronic communication, such as e-mails, instant messages, order tickets, approvals and more. There seems to be nothing in writing from the SEC that extends e-mail and IM retention to companies covered under Sarbanes-Oxley, but some experts advise all Sarbanes-Oxley companies to observe the electronic message requirements of Rule 17a .
Requires: Non-rewritable, non-erasable, time stamped, duplicate message storage; third-party download and storage service; fully indexed and searchable messages; data retention for 6 years, with the first two years being in faster storage. "Immediately" provide a copy of any message upon SEC request.
Implications: Increased primary and WORM storage volumes; improved indexed message retrieval from primary and backup media, with query/report tools.
Personal Information Protection and Electronic Documents Act
Enacted by Canadian government in 2000, this act is unique because it follows a national privacy standard: the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information. The act covers personal privacy and electronic documents.
Requires: Consent before disclosing personal information; well planned and documented privacy policies made known within the company; levels of information sensitivity and security; data retrieval on demand by customer or law enforcement; data retention only as long as required by law.
Implications: Company-wide security policies; procedures for gaining customer for permission to disclose private information; increased secure storage volume; indexed document retrieval from primary and backup media; security level zoning.
While these laws mean a whole lot of overtime for storage professions in the coming years, privacy is actually far more than a legal obligation. As the Harris Interactive Surveys show, it is also good business.
Almost 50 percent of consumers, for example, would buy more frequently and in greater volume from companies known to have more reliable privacy practices. On the other hand, 83 percent would stop doing business entirely with companies that misuse private information. 75 percent mistrust company confidentiality, transaction security and protection against hackers.
The bottom line: Customers want their information kept private. And storage professionals are going to be under more corporate scrutiny than ever as a result of the legislation covered above.