What is WORM technology?
WORM (Write once read many) is a data storage technology that prevents the data from being modified or deletion at the same time it allows it to be read as many times as needed
In a WORM storage device, you can write data at one time and after that, no one can legitimately change or alter the data in any way. It provides the feature of locking down records to ensure that no unauthorized changes can be made to the data or information. The best example of WORM storage is a CD-R disc. In CD-R, you can write data but you can’t change the data.
What is WORM compliance and who needs to comply with it?
Compliance is an important aspect for regulated industries such as financial services and the government sector, capturing and recording text messages, archiving voice calls in unalterable modes, are the most common requirement of regulators. If an organization is doing business in securities or health care services, the organization falls under the umbrella of Securities and Exchanges Committee (SEC), Financial Industry Regulatory Authority (FINRA), and HIPAA privacy rules, it has to be compliant with WORM compliance. Other regulations such as NARA, GDPR, FCA, MiFID-II also require compliance with WORM compliance as they require record capturing and retention. NIST in its publication SP 800-53 suggests the use of WORM compliance for achieving the integrity of data.
Financial Industry Regulatory Authority (FINRA)
FINRA regulations require that digital records and communications must be stored on WORM media and that firms must make sure that data is available for discovery and provide audit trails of data access, use, and destruction.
- FINRA 10-06 - Requires financial firms to retain records of all social media communications.
- FINRA 11-32 - States that tweets and text messages are written material that needs to be preserved.
- FINRA 11-39 - Establishes the requirement to retain, retrieve, and supervise business communication, even when that communication is conducted from a personal device.
Securities and Exchange Commission (SEC):
Rule 17a-4(f) of the Securities and Exchanges Act (SEA) states if electronic storage media is used by a member, broker, or dealer, it shall comply with the following requirements: The electronic storage media must preserve the records exclusively in a non-rewriteable, non-erasable format.
General Data Protection Regulation (GDPR)
GDPR doesn’t specifically demand WORM compliance but it requires data retention without any unauthorized modification. WORM technology is one of the solutions for this requirement of GDPR.
Penalties for non-compliance with WORM:
The penalties under FINRA and SEC 17a-4 are excessive. Under SEC 17a-4, financial firms are under continuous observation and face monetary fines ranging from $1,000 to over $140,000 per breach. There are also non-monetary penalties such as suspension of the responsible organization from their services.
What are the benefits of WORM Storage?
- Ensures the integrity and availability of data.
- Helps in complying with many information security regulations (e.g. GDPR, FINRA, SEC, etc.)
- WORM storage solutions can provide scalability so organizations can store large amounts of data.
- Lowers the expanses of data breach and data loss by managing data effectively.
How to comply with WORM?
As we know that WORM storage provides features such as security, integrity, and availability. Many information security regulations require the retention of records for years and for this WORM storage can help organizations in achieving compliance with various information security regulations.
For compliance with WORM regulation, the following steps can help:
- Understanding the nature of the business
- Gap assessment (determining the gaps between existing controls and required controls)
- Determining what kind of WORM storage is required based on your business.
- Implement the WORM solution (hardware or cloud-based or SaaS solutions)
- Monitoring the WORM storage technologies (determining its performance)