Rules, Rules, Rules

Financial-services firms including Guardian Life and Huntington Bancshares face numerous compliance challenges.

If Guardian Life Insurance Co. executive VP and CIO Dennis Callahan ever takes up tennis, he'll probably be thoroughly bored. Just a single ball, and only one person trying to sneak it past him? Callahan, whose main job the past 3-1/2 years has been to try to change the culture of the company's technology organization, spends a good chunk of his time -- and more than $4 million a year -- swatting back compliance balls flying in from securities regulators and California lawmakers.

Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, the USA PATRIOT Act, the California Security Breach Law, Securities and Exchange Commission rule 17a-4 -- these are but a few of the compliance challenges he faces. That's along with his day job of managing a $150 million annual IT budget to help salespeople be more productive, simplify operations, improve customer service and diversify the lineup of insurance products.

To say regulatory compliance is a distraction for business-technology executives is an understatement. Four out of five say it's a challenge just tracking whether their organizations have met compliance goals, according to an InformationWeek Research survey of 200 business-technology professionals last month. A third say complying with government regulations has had a negative impact on productivity. And 59 percent say their spending on compliance will go up this year, while only 6 percent predict a decline. That's a bit less than in September, when InformationWeek Research conducted its first compliance study; then, 71 percent said they'd spend more and only 2 percent predicted less spending.

Yet considering that many companies are actually cutting their overall IT budgets -- 54 percent were cutting or holding level in an InformationWeek survey at the beginning of this year -- compliance is clearly a burden. "The substantial increase in regulatory requirements in the past few years has put added pressure on the technology budget," Callahan says.

Guardian Life spends 3 percent of its IT budget directly on compliance and another 2 percent on somewhat-related functions, such as business continuity and risk management. Some of that money is being spent to create a dedicated system around EMC Corp.'s Centera software for data life cycle management, working in tandem with iLumin Software Services Inc.'s Assentor E-mail retention software, to meet SEC rule 17a-4. That rule requires financial companies to retain, monitor and analyze electronic communications.

The insurer also is using Centera to manage its storage area networks, where transaction and customer data are kept. The company is increasing the capacity of those SANs in part to accommodate compliance with the Sarbanes-Oxley Act, which holds business directors and managers accountable for the veracity of financial statements. While Guardian is a mutual insurer and not a public company, and is therefore not subject to Sarbanes-Oxley, Callahan says it's only a matter of time. "Insurance regulators are looking at it and so are we," he says.

The company has received some business value in return, such as improvements in record keeping related to the "know your customer" requirements of the PATRIOT Act. But that's a minority opinion -- only 38 percent of companies say they've benefited from complying with regulations, while 22 percent say it has hurt them, and 40 percent say it has had no impact. Guardian treats compliance issues as "helping IT and the business focus on issues they ought to be addressing anyway," Callahan says.

Sarbanes-Oxley and HIPAA are the most far-reaching of the relatively new regulations, with more than half of InformationWeek Research respondents saying their companies are taking steps to comply with them. HIPAA sets standards that affect any company handling medical records, requiring certain standards for privacy and security of patient information that affect a broad swath of companies: employers, insurance companies and healthcare providers.

And there are new regulations coming all the time. Just last month, the federal government -- under authority of the 65-year-old Fair Labor Standards Act -- significantly changed how overtime must be calculated. The feds also enacted the Can-Spam law, which affects direct marketers such as major E-retailers, as well as the Do Not Call Registry. California state senators have passed a bill proposing to regulate the use of radio-frequency identification tags on individual consumer goods. No wonder that a third of companies say they're less productive because of government regulations.

One of the first reactions to new regulatory requirements has been to restrict access to company data, though the impulse to limit information flow isn't as strong as it used to be. Last year, 75 percent of companies said they were more closely restricting access to certain data; now that's 66 percent of companies. Thirty-nine percent were providing less information to partners or customers; now just 26 percent are. HIPAA has forced the University of Texas Health Science Center at Houston to reevaluate how it shares information. In the past, the school emphasized a culture of information sharing across departments in the pursuit of knowledge. The emphasis was on making information as accessible as possible, a culture that had to change with HIPAA and other laws such as the Texas Administrative Code, which requires health-care administrators to keep tighter control on patient and student information. A year ago, the UT Health Science Center embarked on a project to identify all data that needed to be protected in order to comply with the law and to deploy encryption software with its storage area networks. NeoScale Systems Inc. encryption hardware now sits between the SANs, where the data is housed, and the fiber connections that deliver data to and from end users. The idea is that if a disk is stolen, confidential information such as names and Social Security numbers wouldn't be compromised. HIPAA and other laws merely stipulate that data needs to be protected, not how to do it. "The law doesn't take into account all the ways data can be stolen or misused," says Kevin Granhold, director of network services at UT Health Science Center.

1 of 2