Solutions

WORM Compliance

Learn how MirrorWeb can aid with Electronic Records Management and WORM compliance.

What is electronic records management?

Electronic records management or ERM is the totality of the policies and procedures surrounding the collection, archiving, on-demand search, retrieval, delivery and in many cases ultimate deletion of a company's digital communications and other records.

Records can include everything from routine business logs of sales, trades, or similar transactions to all manner of communications including email, recorded phone conservations, website updates, videoconferences, and even business and social media posts across platforms such as Slack, Teams, YouTube, Yammer, LinkedIn, Facebook, Gab, Twitter, and Instagram.

Why is ERM Important?

Increasingly, organizations - from businesses and non-profits to government agencies - are finding themselves exposed to requirements for e-discovery. E-discovery requires these entities to produce digital records upon demand across a wide range of legal and regulatory actions.

In particular, a growing body of global and national regulatory agencies as well as local and national courts are stipulating strict and detailed rules for ERM. In addition to specifying an expanding array of both physical and digital documents that must be retained, they are also holding organizations accountable for the manner of archiving and retrieval alongside all related managerial procedures. Compliance failures can result in fines or related actions.

What Sorts of Regulations Invoke ERM Requirements?

Differing industries may apply varying preservation requirements. For example, in the U.S., regulation 17 CFR § 240.17a-4 from the Securities and Exchange Commission requires broker-dealers to hold on to all internal and external communications plus its website activity and social media posts for a period of six years. Then in the EU, the General Data Protection Regulation (GDPR) places limits on what sorts of personal data can be collected and how long it may be retained.

Some of the more well-known areas where ERM rules are becoming more stringent include:

Financial services:

  • SEC / Financial Regulatory Authority (FINRA) 17a4

  • §  10-06 --- Requires financial firms to retain records of all social media communications

  • §  11-32 --- Specifies that tweets and text messages are written material that need to be preserved

  • §  11-39 --- Establishes the requirement to retain, retrieve, and supervise business communication, even when that communication is conducted from a personal device

  • Markets In Financial Instruments Directive II: a massive set of regulations covering all facets of asset management and securities trading through the EU

Retail and related commerce

  • GDPR: sweeping regulations from the EU covering the collection and management of personal data

  • CCPA: regulations closely mirroring the GDPR but applicable for residents of California only

Healthcare

  • Health Insurance Portability and Accountability Act (HIPAA): requiring U.S.-based healthcare providers to maintain close control over patient records but also on-demand access as directed by patients  

General

Note: thanks to the rise of e-discovery rules --- virtually all industries, companies, organizations, and individuals are being held to strict ERM standards, regardless of whether or not a regulatory standard applies. The FRCP standards are just one example of the bar being raised for the whole of record keeping.

What are the Costs of Compliance Failures?

Running afoul of ERM rules exposes businesses to an array of risks. Fines themselves can be upwards of millions of dollars. For example, under Mifid II, in 2020 alone, the European Securities and Market Authority (ESMA) imposed fines of €8,400,430. That's just one agency in one year --- with the number of agencies, courtrooms, and other jurisdictions establishing ERM requirements growing by the day.

Similarly, firms must also concern themselves with sanctions --- for example, failure to comply can lead to prohibitions on conducting business in certain markets, temporary bans, or similar penalties.

But worst of all, companies must concern themselves with reputation risks. Reputational damage is generally more costly in terms of lost clients, prospects, and sales than actual fines. In fact, analysts from the Center for Economic Policy Research say losses in share valuation associated with sanctions "are on average nine times larger than the financial penalties imposed by the regulators."

What is WORM Storage?

As emphatic regulations proliferate and as the general expectations within e-discovery manifest, a key theme emerges --- the need for WORM-compliant ERM.

The acronym WORM refers to a "write once, read many" storage drive. What it means is that when using a WORM-compliant device, a file can be written to the drive only once. From there, it is kept in pristine condition with all of its associated metadata intact.

Where there are emphatic regulations --- a list that is swelling --- WORM compliance is a nearly universally present requirement. Even within the broader practice of e-discovery, the expectations of judges, arbitrators, plaintiffs, and other participants and stakeholders increasingly demand that data storage be WORM-compliant.

What is Metadata?

It is not enough that an organization is capable of retrieving and sharing requested data. What is required is that the business, person, or other entity in question is able to ensure the provenance of the information that is shared. That is: the data is accurate, complete, and up-to-date, preserved in its original state.

To do this requires simultaneous storage and retrieval of immutable attributes associated with each document, posting, or other files. Metadata includes information such as:

  • The name of the author or creator of the file

  • The file creation date

  • The date, time, nature, and author of any changes to the file since its inception

  • The software or operating system in use

  • Any unique identifiers

Organizations may also add additional identifiers such as the type of file, its broad categorization, which functional entity created it, or whatever might help with retrieving the information as needed. That these attributes remain immutable requires WORM compliant procedures and equipment.

What Other Requirements May Exist?

Expectations for ERM have evolved significantly. Again, some of the below may be required by regulation; other aspects are simply becoming baseline expectations. But in general, your data archives must be:

  • Immutable. The records cannot be changed; they are authentic as filed

  • Discoverable. Your databases must be easy to search and deliver all relevant files

  • Auditable. Your processes must be documented and transparent

  • Redundant. All of your data must be backed up to a secure location or better still, locations

  • Of appropriate duration. Certain regulations introduce minimum storage requirements --- "you must hold on to this record for five to seven years --- and others maximum --- this file must be permanently deleted after a specified period. Your ERM system must be efficient and effective in executing specific requirements.

Why is Assurance Essential?

WORM-compliant ERM, whether mandated by regulation or merely as reasonable practice, is becoming the standard in business and society. Organizations are increasingly expected to be able to demonstrate that their processes are sound and thorough; that their storage systems are WORM-compliant, discoverable, auditable, and redundant.

This leads to a significantly more evolved state than simply being able to retrieve and share as requested. A demonstrably sophisticated and capable ERM system can also prove a negative. If the policies and procedures are sound and if the storage drives exhibit the attributes above including WORM-compliance, then there is no more to a story than what is supplied.

Assume a regulator or plaintiff suspects an item or items may exist as evidence of actions they allege, and place a demand for retrieval. If it exists, it is captured, stored, retrieved, and delivered upon demand. If it doesn't exist, that is reasonable proof it did not happen.

How Can MirrorWeb Assist?

MirrorWeb has extensive experience working with a wide variety of industries and organizations needed to address everything from regulatory compliance to the risks of potential demands for e-discovery.

We are data professionals, and we can help your group develop the right sets of ERM procedures to ensure you are protected and compliant. Our multiple web crawlers and other tools will routinely comb your digital byways to make certain every email, web posting, video conference, or social media posting is captured, tagged, and archived.

Our WORM-compliant storage ensures your data and files will remain immutable, searchable, and always available, fully backed up in multiple locations.

We know our business, leaving you free to run yours. And you can have complete confidence, if the need arises to produce a report to a regulator, court, or other competent authority, you have complete access to and control of your data -- and you can be confident, if "it" happened, you have it. And if it did not happen, you can prove that too.