Windows Server System Magazine - Strategies for Dealing with Exchange Storage

Legislative Burden on IT

Many of us have been blissfully ignorant of the myriad legal requirements that our companies face and our role in meeting these requirements, but times are changing. Many industries have worked with a document-retention burden for many years, particularly with HR and health and safety issues. For example, the Rehabilitation Act of 1973 requires record retention for three years. OHSA requires record retention for 30 years in matters relating to toxic materials.

However, recent legislation including Sarbanes-Oxley, Gramm-Leach-Bliley, and the Health Insurance Portability and Accountability Act (HIPAA) have a higher profile and affect many companies not used to the effort required to achieve a passing grade with external auditors and protecting their company from legal problems. In the past, many administrators were accustomed to developing backup strategies that provided key snapshots of essential data. However, the requirements are now a lot more stringent.

For example, section 404 of Sarbanes Oxley places a burden on IT departments to ensure that the data is subject to scrutiny through an adequate internal control structure. The act requires the Securities and Exchange Commission (SEC) to enforce these requirements. Most large companies already feel the effects of these requirements, and smaller companies (which the SEC defines as being capitalized at less than $75 million) should be in the middle of preparing their compliance plans.

The Federal Trade Commission (FTC) is also now enforcing the Gramm-Leach-Bliley Act. This act regulates the security that companies provide for the protection of customer financial information. Moreover, there are indications the FTC will be pursuing breaches of these regulations aggressively, particularly given the press attention to identity theft. Finally, HIPAA has a tremendous impact on the way that Exchange environments and the associated data are managed for administrators working with medical information.

Each piece of legislation has enormous implications for our companies and how messaging technology is implemented, managed, and supported. Over time, each law will come under the scrutiny of the courts and be subject to interpretation. Administrators must manage systems to comply with present laws and adapt to changing requirements.