There has been much buzz about government mandated regulatory compliance over the last few years resulting in volumes of overly confusing and ominously threatening regulations. Businesses are told they must control access to data, specifying and providing justification for who may access what types of information. There must also be testing and documented proof that data cannot be accessed by unauthorized personnel. Yet to my knowledge there are no official documents specifying or recommending how this is to be done. It seems to be up to the Information Systems Administrators of each company or organization to figure out how. But then an audit or a court order could determine whether their procedures were adequate or worthy of fines or penalties.
There are also ambiguous data retention requirements that seem to automatically put many small businesses at risk simply for not having the resources in place to bear the burden of long-term data retention. In addition to retention, there also must be a means of rapid data discovery. This becomes extremely problematic when business management system software is developed by third party vendors. Periodically, new versions of the software are released that are unable to directly access the data retained by earlier versions of the software. You would think then that it would be up to those software vendors to provide a means for data discovery, but they might be inclined to charge outrageous fees for doing so. Or there may be a conversion process that could call into question the integrity and authenticity or historical purity of the data.
Another issue that affects data retention is the technological changes and advancements in the materials and methodologies of data retention. For example, data may have been stored consistently on tape for years, but then the tape drives fail and have to be replaced with newer, technologically different drives that are unable to read the old tapes. Of course a full backup of existing data is performed on the new media and everything is fine until there is a request for the data as it existed on a date well prior to the conversion, or involving files that had been erased before that date and can be found only on tape backups that can not be read by the existing equipment.
Data encryption presents another dilemma in terms of data discovery. The encryption algorithms and keys are not always managed by the Information Technologies staff. Individuals can password protect their own documents and encrypt their own e-mails, making attempts at data discovery extremely difficult.
Small businesses will have a hard time complying with the regulations, and may be forced out of business rather than spending the resources and effort to implement them. So at a time when the economy is suffering, jobs are few, unemployment is high, and both large and small businesses are struggling, along comes government regulations to close more small businesses and put more people out of work.
On the other side of that coin, though, new businesses have arisen offering to help other businesses sift through the regulatory compliance issues. And that’s fine for some large to mid-sized companies and even a few small companies. But there are still a lot of small and struggling businesses that just cannot justify the expense of something they might never really need. Of course you could say that about insurance, too. And this could be viewed as a type of insurance. But at some point you have to draw the line on some business expenses just so you can stay viable.
There’s a big difference between encouraging responsible data governance with recommendations for successful implementation, and imposing regulations and requirements with severe penalties for non-compliance. I’ve been informed that there are such regulations, but I’ve been hard pressed to find a basic do-it-yourself kit for small businesses to bring themselves into compliance, or at least get a better feel for what should be done.
I sometimes wonder whether those writing and defining the regulations actually want the businesses to fail compliance audits so that the regulators can profit from the fines they impose.
Tracy Henness
