Q: I have been in the IT field for over 20 years, in several different companies. Why does it seem like in the past year I spend more time meeting with lawyers than the business people? I understand Sarbanes-Oxley issues, but my current company has been public for seven years, and we have always had "compliance" reviews, but I have been in six meetings in the past eight months with our chief counsel and other lawyers in attendance. Is this happening everywhere, or should I be concerned that something is up?
-- Paranoid In The Data Centre
A: It's not just you; we've gone crazy. As if IT weren't hard enough, now you can't boot your laptop without a lawyer getting in the middle.
Why? There have been astounding levels of legislation passed or pending in the past few years directly relevant to the use, misuse and downright abuse of data. Privacy issues alone are going to keep annoying lawyers employed for many years. The Sarbanes-Oxley Act, while not new, is being so violently contested that your company will be spending a fortune on legal fees whether you comply or not. Either way, the lawyers win.
No one likes lawyers. It's not even one of those "you hate them until you need them" things; I hate them even though I need them. It's not lawyers personally, mind you. I like most of the lawyers I am forced to use. It's the fact that I'm forced to have them (if ever there were a better self-propagating group of folks than lawyers, I can't figure out who it would be). They write the laws, then sit on both sides of those laws. They have guaranteed employment. Even the crappy ones do OK because there are always dumber, crappier people somewhere down the legal food chain who can't navigate the system because the system was designed by lawyers, for lawyers. It's even enforced by lawyers turned judges and ensured sustenance by lawyers turned politicians. It's brilliant if you think about it.
Auditors once held the title of "best business idea ever," since they forced lawyers to write laws stating that companies had to have independent audits. Then the auditor finds things wrong and very conveniently provides consulting services to fix them so you can have a report telling the lawyers that you adhered to the law they enacted, which the auditors wrote. Genius.
Corporate compliance has many faces in many lands. Privacy laws have been legal fodder in Europe well before the U.S. paid attention. The U.S. lawyer vs. IT didn't really take off until after 9/11.
The federal government rightfully realized that the Wall Street folks had woefully silly disaster recovery plans since their DR sites were three miles away. They wanted to make sure DR sites were far, far away and that there were more than one. They got banks and brokerage houses and other folks -- who have all the dough -- together and came up with grand plans that were promptly shot down because those folks were able to convince said government that doing the right thing wasn't technically feasible. So we did nothing.
That exercise opened up one bright lawyer's eyes however, and New York District Attorney Elliot Spitzer started realizing that some of those big companies might not have the best motivations for their behavior. He started calling people on the carpet for lying and cheating. He made things change because he made it very public when big companies did dirty things.
Then the politicians got back into it and started enacting laws. The Securities and Exchange Commission came up with a slew of broker/dealer laws in order to protect individual investors and keep people in the old-boy network from continuing to hand one another huge piles of money by cheating. Part of those laws required you to keep records -- no more pathetic "We can't do it" or "We tried our best" excuses. The lawyers on the good side put tougher laws in place to say, "Thou shalt keep stuff, electronic or other, so that we can see it when we think you're a lying dirtbag." The lawyers on the bad side then started making more money, first by trying to show their clients how to skirt the issue, and then by showing them how to comply.
There are now a zillion laws that affect IT. Most are around record retention -- making sure stuff is there when someone asks for it. They were a boon to the storage industry, and now in the computer industry not only do you have to keep stuff forever, but you have to do the heretofore unimaginable -- i.e., you have to find the stuff. Electronic discovery has quickly moved from a nice, quiet little service business to a huge market. Now that CEOs go to jail for being caught doing dirtbag things, most would rather avoid that fate. Not knowing is no longer a valid excuse. Not knowing gets you a new friend in a small room. Knowing, finding and proving is what matters. Fines are no longer slaps on the wrist -- they are millions and millions of euros, baby.
Wait until encryption is mandated by law. That will be another boondoggle for both lawyers and industry.
There was a trade show a few weeks ago in New York -- LegalTech. There were 10,000 people there, mostly lawyers -- tech heads on the sides, lawyers in the isles. The big focus was e-discovery and accelerated electronic evidence production, which represents a small amount of "law" but a big amount of money. Now that the laws say "keep," the scramble is on to "find" and "use."
You can't find what you can't see. If you don't know what to look for or where it is, it's difficult to find. Most legal discovery requests are not completely satisfied. It's systemic in the way we do things. That has to change.
This is why the whole classification/categorization of data has become a hot area. We spent 40 years worrying about how to store stuff but didn't think about how to find things until three years ago. There are numerous approaches to the problem, but they seem to be lumped into these basic categories.
1. Let someone else deal with it. Iron Mountain has all the tapes anyhow, so they have been providing enormously profitable services to companies that need stuff by taking all the tapes and turning them back into "data" and giving the data back to the company, or more likely to another service provider who can sort through the data to find the relevant stuff. The Mountain has recently flexed some muscle by partnering with Stratify Inc. and OnSite3 to provide a total solution. Specialized companies are providing integrated services like Zantaz Inc., which does e-mail archiving and e-discovery/litigation support for those e-mails. Outsourcing this stuff is hugely expensive, but most companies don't have the ability to do it internally even if they wanted to.
2. Firms such as Mimosa Systems Inc., Symantec Corp. and Xiotech Corp. are trying to bring technologies inside, where the data is created, to categorize and classify things up front so that no matter where you put them, you can find them. Scentric wants to classify it at creation and apply policy to the data itself and enforce those policies, trying to keep you from causing yourself problems later on. (I'm not sure the lawyers like the idea of people become forward thinkers, though. They may try to legislate against such things.)
3. I like the idea of Index Engines Inc., which perform the indexing of stuff in the backup stream. The theory behind them is that you're going to move the data through the backup process anyway, so why not perform the function there instead or duplicate the activity or crawl around looking for things? Everything goes through the backup stream, plus even if the backup tapes are at Iron Mountain, by doing the indexing during the backup process, your company knows exactly what tapes it needs back. That alone will save a ton of time and money compared with how it's typically done. It's always better to extend a process that exists vs. create a new one.
4. Internal search technologies, such as Fast Search & Transfer ASA's products, are enabling companies to find things they didn't know they had. There have been huge advancements in this area in a very short time. Google Inc. has worked with Kazeon Systems Inc. to build an appliance to try to penetrate this market -- to index it and then search it. With years and years of data, being able to sort through everything you have ever created was an impossible task not long ago.
This is just a small sample of what's now available or coming soon. Millions of dollars have been invested over the past few years because lawyers have decided to encroach on our little tech world. In the '90s, the CIO moved from being a techie to being a finance guy. Tomorrow, he might be a finance guy with a law degree. So we'll have geeks managed by folks who first care about reducing cost and then applying stricter and stricter requirements -- and, oh yeah, in case you do something wrong, you will be held responsible. No wonder no one wants to be in IT anymore, since it has none of the money and all the responsibility. And you thought it was hard to meet girls now. …
Send me your questions -- about anything, really, to [email protected]
Steve Duplessie founded Enterprise Strategy Group Inc. in 1999 and has become one of the most recognized voices in the IT world. He is a regularly featured speaker at shows such as Storage Networking World, where he takes on what's good, bad -- and more importantly -- what's next. For more of Steve's insights, read his blogs.