Comment Article
Regulations Upping the Ante on Electronic Data Management
By Fran Howarth, Principal Analyst, Quocirca Ltd
Rules and regulations regarding what records
companies must keep and be able to produce as
evidence in the case of a court hearing have been
around for decades, with one of the first such
laws being the Securities and Exchange Act of the
US that was passed in 1934. Initially governing
only written documents and guarantees, the rule
has been expanded to cover new communication
technologies such as email and instant
messaging.
In recent years, a wide range of governmental
and industry-specific regulations have been
passed-some international in nature, some limited
to a local scope. One particular law that is
currently causing headaches for many companies
is the PCI standard from the Payment Cards
Industry. This law specifies security standards
that must be adhered to by all companies
processing personal data relating to credit
cardholders, including the need to protect
personal information and store it in encrypted
form, to restrict access to data, and to track and
monitor all attempts to access that data. On a
more general level, there are a plethora of
regulations related to privacy and data protection
that require companies to invest in secure
electronic data management systems to ensure
that personal information related to individuals is
protected.
Such regulations are forcing companies to revamp
their electronic data management policies and
capabilities, with one of the key drivers being the
threat of legal sanctions imposed on them. Data
leakage prevention has become a particular buzz
phrase in the technology industry-especially given
the large number of high-profile cases of
inadvertent data loss by companies and US
agencies that have hit the headlines recently.
In the face of the threat of potential litigation or
reputational damage, companies are coming to
realise the vital importance of regaining control of
their business information, including how it is
securely archived in order to be able to respond
to investigations with the minimal level of
© 2007 Quocirca Ltd http://www.quocirca.com
business disruption. In the past, the probe for
evidence for legal purposes involved searching
through filing cabinets of stored paper
documents. In today's business world, up to 90%
of the information that a company holds is in
electronic form, including business documents in a
variety of native formats, databases and
directories, and messages, such as information
contained in email and instant messaging
systems.
In order to assuage these threats and to comply
with regulations that, in some cases, force
companies to maintain company documents for
many years, companies are putting in place
technology to control the management of their
data and the repositories it is stored in. The
capabilities of such systems include automated
document retention and archiving, document
destruction overrides, automated creation and
enforcement of data management policies, access
control management, encryption technologies,
monitoring, web filtering capabilities and full audit
trails of who has done what to which material,
and when. Such systems should control all data
generated by an organisation in whatever
application it was created and on whatever device
it resides, including hard drives, storage systems,
email systems and internet access records.
Although such data management technology
systems provide many advantages for companies
looking to control and secure their information
flows, employee education is a key factor in the
success of any project. All staff must be made
aware of the behaviours expected of them,
including activities such as accessing bulletin
boards, using instant messaging programs, using
personal email or logging in to social networking
sites. In some cases, employees register for such
sites using their company email addresses-
potentially opening up part of the company
directory to abuse. Some companies deploy
content filtering technologies, which can prevent
sensitive or dubious material from being sent
outside of the firm, and others monitor the use
+44 118 948 3360
 Comment Article
that their employees make of communications
systems such as email and instant messaging.
However, monitoring of employees' use of email is
something that should be done with care in
certain jurisdictions, including France and
Germany, where companies must respect the
rights of their employees to expect privacy-even
on company-owned equipment, and even where
the company has set a policy of not allowing the
use of company equipment for such things as
personal email. In the case of France, the
authorities have ruled that employees have the
right to privacy even at work, and especially
considering the increasing blurring of private and
working lives.
Another requirement that international companies
will have to factor in to their data management
capabilities is that a practice that is required in
one country may be illegal in another jurisdiction.
For example, the US-and many other jurisdictions
based on common law principles-allows for a fairly
permissive pre-trial discovery of documents in the
case of any company facing litigation for which
they must product company data and information
records as evidence. However, in some countries
including France, Switzerland and Germany, local
laws prohibit attempts to gather "any document
that may be relevant" through blocking statutes,
making such activity a criminal offence that is
punishable by imprisonment and fines. This is a
headache for companies involved in multi-
jurisdictional disputes, or who operate across
multiple countries, as national regulatory
differences must be included in their data
management plans and capabilities.
© 2007 Quocirca Ltd http://www.quocirca.com
Best practices guidelines for effective electronic
data management:
• Do your homework-find out which regulations
apply to your business, taking into account
operations in different geographies, and what the
requirements of those regulations are.
• Start with a process of discovery internally,
covering all data formats, applications and
technology devices.
• Assess information access rights in place across
the organisation and put in place restrictions on
all unnecessary data access.
• Select an electronic data management system
that covers all devices, applications and
information sources in use, but that is flexible
enough to be tailored to the company's specific
requirements, such as the use of filtering,
encryption and archiving.
• Train employees as to the company requirements
and ensure that all employees have read and
understood policies set through electronic
acceptance of the terms. Include any sanctions to
be applied in the event of a security incident.
• Audit and report on the system to gauge its
effectiveness and be prepared to make changes.
Regulatory compliance is the new reality for most
businesses today. Whilst the burden is the most
onerous for those with shareholders to satisfy, all
companies would be well advised to take a look at
the processes that they have in place for ensuring
that the information that they produce is
maintained and used in a secure manner-as
required by many regulations. However, as recent
court cases in some countries have shown,
companies operating internationally should take
care when treading through the minefield of how
particular regulations are interpreted in the
countries in which they operate.
+44 118 948 3360
 Comment Article

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology
and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the
views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-
world practitioners with first hand experience of ITC delivery who continuously research and track the industry
and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and
political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in
any implementation. This capability to uncover and report back on the end-user perceptions in the market enables
Quocirca to advise on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC
has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s
mission is to help organisations improve their success rate in process enablement through better levels of
understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC
products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of
long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise
that ITC holds for business. Quocirca’s clients include Oracle, Microsoft, IBM, Dell, T-Mobile, Vodafone, EMC,
Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist
firms.

Details of Quocirca’s work and the services it offers can be found at

http://www.quocirca.com

© 2007 Quocirca Ltd http://www.quocirca.com +44 118 948 3360