A tidal wave of new compliance regulations looks set to wreak havoc in IT departments when it hits some time in the next 12 to 18 months.
The new regulations will be introduced as a direct result of the current crisis in the financial markets, and as their scope becomes clearer they will have a huge effect on data center activities, said Chris McClean, an analyst at Forrester Research. "I reckon the impact of these new regulations has the potential to be much, much bigger than Sarbanes-Oxley," says McLean. "The push for new regulation will be enormous. When you look at the amount of people affected by Enron and WorldCom, it's small compared to those affected by the current financial crisis. IT will have to be involved in a big way."
He believes it's likely that the purpose of many of the new regulations will be to push for better corporate auditability. That's because one of the problems that may well have contributed to the financial crisis is that although banks and other financial institutions had large amounts of information about their businesses, they still made bad decisions because they couldn't access the right information when they needed it. "Essentially, they made bad decisions because they didn't have the right technology," McClean said. The new regulations will ensure organizations have better control over the activities particular groups can carry out.
The new regulations will blow away any notion that some of the more stringent Sarbanes-Oxley requirements might be relaxed in the future, so McClean suggests organizations get their houses in order while they have time. Any other preparation is impossible. "The problem for IT departments is that although we know that new regs are coming, we won't know what they are for about 12 months."
John Bace, a research vice president in Gartner's Compliance, Risk and Leadership research group, agrees that the new regulations will have an enormous impact on IT staff workloads. "The last thing we really need is a new wave of regulations, but given the situation in Wall Street at the moment, I believe the shadow the new regulations cast will be longer than Sarbanes-Oxley," he said. However, Bace believes new regulations are inevitable, as they are key to getting confidence back into the financial system. "How was it possible that we did not know about the potential collapse of a major bank until it collapsed?" he asked. "The regulatory oversight model which we have been using was formulated in the 1930s, and it is really no longer applicable."
There are three likely strands to the new regulations when they do arrive:
- A strong push for greater transparency in corporate governance
- A more standardized global set of accounting practices
- A push toward XBRL (eXtensible Business Reporting Language.)
In the medium term Bace said XBRL will provide a way for companies to publish real-time information on their business activities, and it's also something that could have a huge impact on IT department activities.
The financial crisis is not the only root cause of the new wave of regulations though, according to Dennis Gaughan, a vice president at AMR Research. He said that in addition to struggling with Sarbanes-Oxley and any new financial regulations, small and midsize businesses in particular are going to have to grapple with state data privacy laws. "The problem is that each state has a different set of laws, so a real challenge will be how to comply with each state's nuances. In many cases it's not entirely clear what each state's laws actually mean," he said.
Gaughan suggested that rather than trying to keep up with each state's laws, the best solution is likely to be to try to apply the strictest set of state laws to all operations. "I think we are going to see a lot of companies struggle to comply with all these state privacy laws," he said.
These problems are compounded when companies operate internationally. That's because of the wide variation in national data protection and privacy laws. For example, Gartner's John Bace points out that the United States' Patriot Act compels any company holding data to produce it and not inform the owner of the data, while Canada's PIPEDIA (Personal ID Protection and Electronic Document Act) has the opposite effect. Identifying where data ends up being stored and what jurisdiction it falls under has the potential to be a major headache for businesses and, ultimately, IT departments.
This could have a major impact for companies planning to make use of services offered in the cloud either the public cloud or an internal corporate cloud. The reason is that cloud operations may have little concept of national boundaries, and data can be passed from one cloud facility to another with total transparency if allowed to. But many countries, France being a notable example, have strict rules about moving personal data over national boundaries.
So if there's one message for IT professionals who are finding it quiet as the recession bites, it's this: make the most of it while it lasts. New regulations are heading your way, and carrying out the work to comply with them all is going to make everything you've done for Sarbanes-Oxley look like a teddy bear's picnic.
Paul Rubens is an IT consultant and journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.