Compliance Is the New Y2K What drives the development and adoption of new information technology? The easy answer is that somebody, somewhere, sees a better, faster, cheaper way of doing something. But the easy answer often isn't the only answer. Much of the fuel for the tech bubble of the late 1990s came from the looming Y2K crisis. Remember that? When faced with the question of whether their legacy systems would continue to work correctly when the century turned, many companies decided to simply scrap much of their central computing infrastructure in favor of new enterprise-level applications, thus investing heavily in the database technology and storage systems on which those new applications were based. Regulatory compliance is the new Y2K. In industry after industry, federal regulatory agencies are establishing stringent rules concerning data retention. Prominent among these new regulations are the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which ensures the privacy of health-care records; US Securities and Exchange Commission (SEC) Rule 17a-4 of the Securities Exchange Act, which controls the retention of e-mail communications; and the US Food and Drug Administration's (FDA's) 21 CFR Part 11, which lays out conditions for the use of electronic signatures. The US Department of Defense (DOD) also has issued design criteria for electronic records management, and the European Union (EU) has passed rules and regulations concerning management of personal data and medical records. The recently passed Sarbanes-Oxley Act, which attempts to make corporate management more accountable to shareholders and the public, could emerge as the 800-pound gorilla of electronic records management legislation. Experts are still sorting through the implications of Sarbanes-Oxley for data storage. As a result of such legislation and rules, a huge amount of enterprise data is now subject to regulation. According to a study by the Enterprise Storage Group, the worldwide volume of compliance-related records will increase from 376PB in 2003 to more than 1600PB by 2006--that's an annual growth rate of 64 percent. According to Suresh Vasudevan, senior director of product management at Network Appliance (NetApp), as much as 15 percent of corporate data could become subject to regulation over the next several years. Although different agencies' regulations vary significantly, they share several elements. First, the regulations generally mandate that specific data must be retained for a defined period of time. Second, they dictate that companies must be able to retrieve information within a specified length of time. Third, and perhaps most significantly, the regulations require that stored data be unalterable and requires companies to be able to prove that the data can't be overwritten or modified. In the past, write once, read many (WORM) optical technology has been the primary solution for permanent record storage. But data storage companies are now introducing alternative approaches that take into account the real possibility that the data will have to be retrieved quickly and efficiently. EMC's Centera family of magnetic WORM storage devices for fixed content were among the earliest new products. And just a couple of weeks ago, NetApp announced that several applications partners were using its SnapLock Compliance software, which offers automatic data verification and strong security features designed to meet compliance standards. NetApp announced SnapLock Compliance in May. The growth of compliance concerns has raised several new considerations for storage administrators. Not only must technology that's designed to meet the regulations work as advertised, but in many cases the regulating agency must approve or validate the solution. For example, in the case of Rule 17a-4, companies must submit their system's specifications to the SEC, which has 90 days to decide whether to allow use of the system. Moreover, as Vasudevan suggests, companies might opt to use the same storage technology for unregulated data, such as architectural and automotive designs and nonfinancial customer information, that they want to retain in an unalterable format. NetApp recently expanded its SnapLock family of products to cover such applications. Clearly, like Y2K, compliance issues are forcing companies to rethink their IT infrastructures. This attention to compliance will, at a minimum, put new emphasis on data lifecycle management in the enterprise.