Working to rules
Businesses could soon be engulfed by a deluge of new IT regulations, but resellers can help keep customers compliant
In recent years the issue of corporate governance has moved from the dusty desks of accountants and lawyers to the boardroom table.
Concerns about proliferating electronic data, individual rights, access to information, and corporate scandals such as Enron and Worldcom have combined to create a tidal wave of new legislation which threatens to engulf the unwary and leave them washed up in court, or even in jail.
The best known piece of legislation is the Data Protection Act, which was revised in 2000 and more recently beefed up to cover e-privacy. This decrees, among other things, that personal data must be secured, kept up to date, shared only with caution and permission, shown to the subject on request, and not kept longer than necessary.
The American Sarbanes-Oxley Act, which forces public companies to reveal their internal controls, ethics and auditing procedures and to protect relevant data, will also affect European subsidiaries of US firms and European companies with US subsidiaries. Similar legislation is under development in the UK in the form of the Companies Bill.
Some sectors have their own legislation. The European Banking Capital Accord (or Basel II) requires financial services companies to maintain data and demonstrate their ability to continue operations in the event of an IT failure.
The Freedom of Information Act, which becomes UK law in January, gives people the right to request information from public-sector organisations. It requires medical and pharmaceutical records to be kept for specific minimum periods.
Other rules and regulations to watch out for include the Regulation of Investigatory Powers Act (which rules on the monitoring of information and the obligation to divulge information), the Human Rights Act (affecting individual privacy), the Turnbull Report (on directors' responsibility), the US Patriot Act (requiring the safeguarding of data) and the International Accounting Standards Code.
These laws mean that data must be carefully looked after, often for considerable periods. Three to seven years is common, but sometimes the obligation extends to the whole life of a product (such as a drug or a pension) or a company (for example board meeting minutes).
Regulation is seldom approached holistically, so that sets of rules often conflict with each other, and sometimes even within themselves.
There's no lack of awareness of recent legislation. Robin Pilcher, director of European marketing at storage network vendor CNT, says: "Most customers are already aware of the regulations. It's all they've heard from the storage industry for months. Reminding them is unlikely to increase the chance of a sale."
But while many organisations are aware of the problem, they have little idea of what to do about it. Some are over-cautious, says Adrian Wright, managing director of risk management software vendor Secoda.
"Stories abound of US financial firms that store all the spam they receive on massive Raid arrays rather than take the risk of deleting it," he says.
Others, perhaps weary of the IT industry's Jeremiah-like propensity to prophesy the worst, are taking it too calmly.
David Smith, enterprise storage marketing manager at Hewlett-Packard, says: "Many businesses have taken a blase attitude, but non-compliance is simply not an option. Senior staff can go to prison if their companies are found lacking, and a company can suffer a drop in its share price if it is seen as non-compliant."
Sometimes, says Sam Samuel, strategy director at networking storage distributor Zycko, the problem lies with the approach of compliance officers.
"Many firms have appointed a compliance manager, but this is usually a high-level administrator who has little knowledge of or interest in IT. This disconnect produces a divide which the reseller may have to bridge," he says.
In other cases the problem is simple ignorance. According to a survey by storage vendor Adaptec, 85 per cent of UK IT managers have never received formal training on how to comply with data storage legislation. And it is estimated that up to half of businesses have not yet fully complied with the Data Protection Act.
Melville Carrie, vice-president of research and development at content-capturing vendor Chronicle Solutions, says: "There's little clear information being disseminated to companies. Most don't understand the implications of all these rules."
Scaremongering is unlikely to work. A more promising approach is to accentuate the positive, which can go well beyond the direct benefits of compliance, such as not being sued, fined or jailed, and improving shareholder confidence.
"Compliance presents an opportunity to examine a company's strengths and weaknesses and streamline its processes," says Dan Scobie, strategic technology officer at connectivity, hosting and application reseller Star.
"Resellers should advise customers to carry out an internal requirements audit to formulate risk reduction and data storage policies, and use these to examine their technology and identifying how it can be improved."
Samuel says: "In many cases compliance is nothing more than the formalisation of best practice. By adopting best practice in the data centre, most organisations will probably meet 80 per cent of requirements, leaving only marginal issues to be looked at. This brings a sense of perspective to a seemingly overwhelming task."
Scobie reels off a list of issues that need to be considered: watertight perimeter security and virus/spam protection; security for communications links and remote workers; security training for users; an internet and email policy; and policies on employee monitoring, gathering and processing personal data and data storage and review periods.
Ironically, although compliance is often seen primarily as a storage issue, it is just as much about getting rid of data as storing it. "The current emphasis on increasing storage eventually will implode once businesses realise that unnecessary backing-up today creates problems for tomorrow," says Wright.
The aim is to not store junk in the first place, and to delete genuine data once it reaches its legal store-until date. Deleting data not only frees valuable storage space but also absolves the organisation from having to produce the data if the authorities or courts subsequently demand it.
Once stored, data needs to be durable and retrievable, often for many years. This requires reliable media and backups, and exact knowledge of what has been stored and how to retrieve it rapidly.
Many of the core technologies required come under the umbrella of information lifecycle management, email archiving and hierarchical storage management. Content searching tools are likely to be needed and some kind of audit trail is essential. Encryption can be a two-edged sword.
It is valuable for increasing security, but a nightmare if the data can't be decoded when required, or if it prevents search tools from determining what has been stored.
Integrity of the data is vital. Companies must be able to demonstrate that data is complete and has not been tampered with.
Sarah Carter, sales and marketing director at storage, network and security VAR HarrierZeuros, says: "In our increasingly litigious society, demand for IT records will rise. Winning a legal case might just be down to whose data carries more evidential weight."
The current focus on storage can mask the fact that compliance also affects security. "The latest Gartner report hints that the area most likely to be overlooked is security," says Mark Keepax, business development manager at systems integrator Dimension Data.
The whole area of compliance is constantly shifting. New regulations will be enacted over time, and most of the existing ones are relatively untested. They may well be subject to tweaks and clarifications as they bed in. Data lifetimes are lengthy in IT terms, so flexibility will be essential.
"Legislation is a moving target. Companies need open systems that allow them to integrate data and allow best-of-breed solutions," says Ashley Robinson, marketing director at unified storage vendor Network Appliance.
This all sounds like a heaven-sent opportunity for the channel. "Compliance is a real goldmine for resellers," says Keepax. "Hardware and software are the most obvious opportunities, but don't underestimate the leap in 24-hour support needs associated with them."
Storage may be cheap, but managing it will be reassuringly expensive. "There will be substantial opportunities for consultancy, configuration, maintenance and support revenues," says Carrie.
Other added-value opportunities are legion. "The primary issue for resellers should be enabling customers to manage their storage, guiding them on how long data should be kept," says Scobie. "Resellers can relieve the end-user of this burden, which can otherwise create a huge administrative overhead.
"How long data needs to be stored is a question of classification. This presents a real opportunity to resellers, who can advise on the creation of data classification policies and the processes and technologies to meet them.
"And the contradictory requirements of the Data Protection Act, for example, emphasise the need for clear guidance through the regulation minefield, where resellers have a chance to offer advice and support."
Pilcher enthuses: "The neat thing from a reseller's point of view is that most organisations simply don't have the time or money to understand the new regulations. Smart resellers can give advice on which regulations affect each organisation, and show how the solution they recommend is the perfect fit."
Customers will rely on trusted resellers for impartial advice.
"The channel's role will be to offer advice on the efficacy of individual solutions - after all, each vendors is bound to say theirs is the best - and on the level of overlap and integration between products to achieve maximum compliance with minimum effort and expense," says Carrie.
"Resellers will benefit from a long-term relationship based on trust, rather than selling expensive solutions today because they make the most margin on them."
This could trigger a change to a more holistic approach. "Resellers will have to operate in a more joined-up fashion," says Keepax.
"They can no longer sustain a model of drop-shipping tin and then trying to upsell consultative services. They will need to be considerably more aware of the bigger picture regarding each customer's marketplace and have a broader engagement model with its clients."
According to Paul Hickingbotham, senior consultant at storage distributor Hammer, the key word is specialisation.
"It's essential to have the specialist skills to provide customers with the assurance needed to make a major investment in new storage, or to work with channel partners who have these skills," he says.
"Vertical specialists are much better placed to offer suitable solutions than general resellers."
Russ Johnson, European managing director of Adaptec, advises a return to school. "It's vital for resellers to learn about the precise legislation that affects their customers," he says. "For example, resellers selling to financial organisations need to swat up on Basel II."
Re-skilling could be a tall order, however, and one made even taller by the ever-shifting complexities of the various regulations and the way they interact with each other. The do-it-yourself approach is a difficult one. "Education tools are almost non-existent, and information on the web is of variable quality," warns Samuel.
Vendors' seminars are likely to limit their discussions to the areas of compliance that are covered by their own products.
Resellers might fare better with independent bodies such as the Institute of Directors, the Federation of Small Businesses, the Confederation of British Industry, the Law Society or the Chartered Institute of Personnel and Development.
"Some general education can be acquired in the form of specific training or by buying white papers. But perhaps the best way of learning about compliance issues is to work with partner organisations that really understand compliance and support the reseller in what it is trying to do," says Keepax.
A legal expert is likely to be the most important of these partners.
"Don't get carried away and provide advice on what are fundamentally legal issues. This is a huge risk area, as resellers are not qualified to provide such advice," says Scobie. "We partner with legal firms to ensure that our customers have the right information."
Often a combined effort is required. "Hammer works closely with resellers and end-users to develop the most appropriate and cost-effective solution in each case," says Hickingbotham.
"This can't be done in a few phone calls. It needs all parties to be sitting round the table to make sure the needs of the business and external regulatory demands are fully understood."
The level of detail compliance requires can be alarmingly granular.
"Every department within a company should categorise the information it holds. It should then determine a retention and destruction policy for each category in the light of the relevant legislation, particularly the Data Protection Act," says Simon Halberstam, partner and head of e-commerce law at IT law firm Sprecher, Grier and Halberstam.
But the rewards will be worth the effort, since trusted and successful resellers can gain influence over a customer's whole strategy.
"This isn't just a consultancy play," says Keepax. "It offers the reseller a genuine opportunity to influence the shape, size and nature of the client's future business. Resellers will be offered unparalleled access to key factors and sensitive information at the heart of a client's business."
CONTACTS
Adaptec (01276) 854 500
www.adaptec.com
Chronicle (020) 8305 6633
www.chroniclesolutions.com/uk
CNT (01883) 734 115
www.cnt.com
Dimension Data (020) 7651 7000
www.didata.com
Hammer (01256) 841 000
www.hammerplc.com
HarrierZeuros (0845) 230 2322
www.harrierzeuros.co.uk
HP (01344) 360 000
www.hp.com/uk
Network Appliance (020) 8756 6700
www.netapp.com
Secoda (020) 7232 4877
www.secoda.com
Star (01285) 884 400
www.star.net.uk
Zycko (01285) 868 500
www.zycko.com