Regulatory Concerns

A common reason that many organizations implement ILM is to address regulatory concerns. Throughout the world, new regulations that attempt to safeguard privacy or control the behavior of public organizations are affecting how information is retained and destroyed. In the United States, Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) have caused corporations and other organizations to examine how information is handled and who has access to it. The European Community has established privacy regulations, such as the e-Privacy Directive, which place specific requirements on holders of other people's information. Regulations such as these force organizations to manage information better, monitor how long it exists, ensure that it is destroyed when it is supposed to be, and control who has access to it.

Privacy and corporate regulations that affect information management exist worldwide. The following represent some examples of current trends in regulations as they pertain to Information Lifecycle Management and data protection.

Sarbanes-Oxley

In 2002, the U.S. Congress passed U.S. Public Law Number 107-204, also called the Sarbanes-Oxley Act of 2002. Known colloquially as Sarbanes-Oxley or SOX, the law's passage came during a period of profound distrust of corporate executives, auditors, and directors. It was fueled primarily by corporate scandals culminating in the collapse of two multibillion-dollar companies, Enron and WorldCom. In the wake of the failure of these companies, thousands of people worldwide were left out of work. It was felt by many politicians in the U.S. Congress (and investors throughout the world) that the executives and directors of these companies had benefited at the expense of individual investors, employees, and the common good.

Sarbanes-Oxley, Section 302, places upon executives of public companies the burden of verifying the truthfulness of the information in the companies' financial statements. Furthermore, they are responsible for maintaining internal financial controls. The law outlines criminal and civil penalties for those who do not comply with it and creates an oversight board (the Public Company Accounting Board) to ensure compliance.

IT managers are being called upon to help companies comply with these regulations. With almost all financial information stored electronically, especially in databases and spreadsheet files, IT must provide solutions for assuring the integrity of information that eventually becomes official financial statements. ILM is a tool to help accomplish this. By defining classes of information that relate to the financial statements, ILM allows a lifecycle to be created that is pegged to the requirements of SOX. In addition to the lifecycle, state changes can be monitored so as to allow executives to know when information changes without their knowledge. This tells them whether or not they can certify that the information they present is truthful to the best of their knowledge. Information that can change without their knowledge cannot be verified as correct.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act, or HIPAA (U.S. Public Law 104-191), was designed to ensure that health information is available to those who needed it while safeguarding it against unauthorized access. When the law was passed in 1996, it was felt that individuals needed protection against fraud and misuse of medical information, and that regulated access to medical information would enhance delivery of services.

What has caused the biggest angst among health-care providers and insurers are the rather vague provisions calling for health-care information security and privacy. For example, Section 1173 (d) (2) states that

Each person described in section 1172(a) who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards

(A) to ensure the integrity and confidentiality of the information;

(B) to protect against any reasonably anticipated

(i) threats or hazards to the security or integrity of the information; and

(ii) unauthorized uses or disclosures of the information; and

(C) otherwise to ensure compliance with this part by the officers and employees of such person.

These are not very specific provisions or definitions. Since the bill was passed, the U.S. Department of Health and Human Services has issued several regulations based on the act that help to define what it means. Even though the text is nonspecific, it is clear what the intention is: Care must be taken to protect health information from unauthorized destruction or access.

ILM deals with information and can discern the differences between information that needs to comply with HIPAA and information that does not. Separate policies can be developed that address different classes of information that are covered by HIPAA so that this information can be treated differently. Most of all, ILM policies can help verify that information is handled under the rules of HIPAA. ILM is an important tool in HIPAA compliance.

E-Privacy Directive (Directive 2002/58/EC)

The European Community (EC) and European Union have been on the forefront of information privacy, often well ahead of the United States. In 2002, the European Parliament adopted Directive 2002/58/EC, known as the e-Privacy Directive. It defines an extensive set of rules regarding the protection of electronic information. Much of the directive deals with the protection of information gathered through electronic commerce. In the main, it charges those who gather electronic information for commercial purposes to ensure the privacy of that information. The entire electronic supply chain is involved.

ILM would help organizations comply with these rules by allowing companies to control the information paths associated with the information. Actions would be triggered based on the additions to or changes in the path. Access control could also be enhanced if those who touched the data were tracked as part of the state of the information. Controls could be built around the ILM policies to ensure that information does not go anywhere it is not authorized to go and is not touched by anyone who is not authorized to do so.

Other Regulations and Laws

Many other regulations and laws throughout the world pertain to information, the rights of individuals to control that information, and the requirements that apply to organizations that hold that information. The United Kingdom's Data Protection Act of 1998 is an example.

Many information rules are buried in other legislation or regulations. The U.S. Securities and Exchange Commission and the Comptroller of the Currency have numerous regulations that require financial institutions to manage information so that it is accessible, protected, and secure from invasions of privacy. The international community is also creating rules through agreements such as the Basel II Accords. Designed to regulate banks' credit risk, Basel II has requirements regarding the management of historical financial information.

As is the case with SOX, HIPAA, and the e-Privacy Directive, control of information where it is, what is happening to it, and who is touching it is a major element of compliance. This is precisely what ILM is about.