– Sarah Carter, director of marketing at FaceTime Communications (www.facetime.com)
According to FaceTime’s fifth annual user survey, “The Collaborative Internet: Usage Trends, End User Attitudes and IT Impact,” IT managers are not prepared to deal with archiving and eDiscovery for regulatory compliance. Of the IT managers surveyed, 77% can archive and retrieve e-mail; 38% can store and retrieve IM and chat; 29% can retrieve audio conferences; and 22% archive web conferences. Even fewer retain personal blogs (18%), content posted to social networks (19%), or Twitter posts (13%).
Advice for data center managers to prevent PCI- and regulatory compliance-related problems:
Start by getting visibility into what’s going on. Our same survey shows dramatic variations between what IT managers believ was going on, what end users are doing – and the actual data being tracked from 155 FaceTime applicances shows what is really going on.
Here’s just some of the variances that we found:
• Comparing IT estimates with actual network data and end-user attitudes shows dramatic variances.
• Sixty-two percent of IT professionals estimate that social networking is present on their networks, where the actual data shows social networking present in 100% of cases. File sharing tools (websites or P2P applications) were found to be present in 74% of locations, with only 32% of IT professionals estimate that they were in use. Web-based chat was also found in 95% of locations, with only 31% of IT professional estimating that they were in use.
From the same FaceTime user survey cited above, IT managers in 66% of organizations indicate they have received some kind of guidance from legal counsel for archiving e-mail; 40% for archiving IM and chat; and 27% for archiving social media content.
Facetime’s best tip: Involve legal and HR in the creation and implementation of effective policies and procedures to support eDiscovery. The FaceTime survey shows that in 72% of companies surveyed, IT is involved in creating policies and procedures for archiving and retrieval of company communications. Legal counsel is involved 60% of the time, and human resources just 36% or the time.
The best strategy is to create clearly defined policies and procedures and make sure that they are widely disseminated (and reiterated regularly) to end users to minimize violations, and to provide a recourse in the event of a violation (both as a disciplinary measure for offending employees, and as a means of recovering data traffic).
Inability to comply with regulatory audits can be very expensive. According to recent research by the Aberdeen Group, the cost for non compliance ranges from $1.1 million for a HIPAA violation, 1.3 million for a PCI DSS violation, $1.4 million for an SEC violation, to $2.1 million for a SOX violation.
Most regulatory bodies won’t accept excuses when IT managers cannot produce an audit trail of Web 2.0 content. In fact, FINRA, the Financial Industry Regulatory Authority, has a stated “no grace” policy, so companies are foolish if they don’t put in some kind of technology to monitor, control, and archive social media conversations. In the long run, an investment in Web 2.0 monitoring and eDiscovery technology is cheap insurance.