"Access rights alone will not stop accidental and deliberate distribution, stem the inappropriate flow of sensitive information or reduce operational risks," said Joshua Duhl, an analyst at International Data Corp. (IDC) of Framingham, Mass. "Companies must find ways to continuously protect their sensitive and regulated content throughout its lifecycle."
To meet this need, a host of technologies under the broad umbrella of Digital Rights Management (DRM) has emerged. They offer policy enforcement, content protection from cradle to grave and the hope of salvation from regulatory purgatory.
But how well is DRM meeting the needs of compliance? And what does the technology have to do to more closely match business requirements?
According to Peter Sargent, an analyst at Jupiter Research (a division of Jupitermedia Corp.), DRM currently is being deployed only in small projects of less than 200 seats. By 2008, though, he predicts it will have an installed base of 10 million seats. Key adopters are financial services with 27% of the market, manufacturing (23%), government (15%) and healthcare/pharmaceuticals (15%).
What's driving the market? While viruses are still the No. 1 security problem reported in the enterprise, the No. 2 spot has been taken by unintended forwarding of email, followed by data loss and loss of devices such as laptops.
Cases of email forwarding are famous these days -- rants from Microsoft's Steve Balmer, for instance, have appeared on the front page of the San Jose Times. While getting some inside skinny from the world's biggest software company may add some spice to the day, more serious examples are the leakage of the personal details of customers, credit card numbers, corporate secrets and, of course, corporate crime. Hence HIPAA (Health Insurance Portability and Accountability Act of 1996), Sarbanes-Oxley (SOX) and a host of other regulations to protect the consumer and the investor.
"There is only going to be more legislation, so get used to it," said media consultant Rupert Perry, formerly an executive with EMI Music Corp. "But for the moment, DRM is not a high priority at the top management level."
Out of $3 billion spent on compliance to SOX in 2003, more than 90 percent was on hiring clerks. For the technology to become pervasive, however, it has to come from the top, and so far this hasn't happened. That may be changing, according to Mark Patton, vice president of development at SealedMedia Inc., based in Los Gatos, Calif. His company starts out at top management, sealing access to documents of the highest confidentiality.
"Once you get the top guys to buy in, it is a whole lot easier to push it down into the enterprise," he said.
As a result, SealedMedia is one of the few vendors that can boast enterprise-wide DRM deployments, some in excess of 50,000 users.
Projects of this magnitude, though, are few and far between. This may be due in part to the relative complexity of the technology. Adobe documents have one set of safeguards, Microsoft Office docs another. And then, of course, there is open source, as well as dozens of proprietary DRM applications on the market. Few of these solutions "play" well together, and there is relatively little progress to date on standards for digital rights.
"Vendor engineers tend to make technology implementation too complex so it is hard to adopt it and a hassle to integrate it with the rest of the enterprise," said Maureen Dorney, a partner at the Baltimore-based law firm of Piper Rudnick Gray Cary LLP, who specializes in privacy law and open-source technology legal issues. "You really have to dumb it all down to make it more user friendly."
Mike Stern, a technology attorney from the Palo Alto office of the law firm of Cooley Godward LLP, takes a more extreme view of the problem of DRM adoption to meet the needs of compliance.
"So far, all we have really seen in the compliance arena has been marketing innovation, not application innovation," said Stern. "Vendors have largely repurposed the same old applications in order to capitalize in a potential market in the compliance field."
At the same time, these individuals acknowledge that it's no longer possible to talk about compliance without getting into the technology arena. And here DRM can score points in terms of providing an audit trail for the document lifecycle, including who accessed it, how many times, when, and who they sent it to.
"Political issues surrounding corporate behavior make it important to deal with compliance and DRM certainly fits some of the necessary criteria," said Dorney.
For the moment, then, DRM may nibble at the fringes of the compliance universe, but it must seek other avenues to increase its market presence.
"We've never closed anyone to buy DRM based on compliance as the primary reason," said Patton. "DRM is complete overkill when it comes to HIPAA."
Sargent's research confirms this belief. Jupiter Research surveys show that the drivers of DRM are predominantly remote and traveling employees, customer demand and intellectual property needs. Those driven by federal mandate linger far behind.
"There is nothing in HIPAA and other regulations that mandates DRM," said Sargent. "From what respondents tell us, there is more interest in DRM for compliance purposes, but no evidence of a single sale for that reason to date."
Read more about Digital Rights Management issues at DRM Watch.