To: Jonathan Katz
cc: David Karasik
US Securities and Exchange Commission
Re: File No. S7-17-99: Recordkeeping Requirements for Transfer Agents
From: Michael Kilian, EMC Corporation
EMC has the privilege of participating in the discussions regarding the storage of documents for Transfer Agents. We are concerned that the current direction expressed by the SEC will be onerous to Transfer Agents and will ultimately be obsolete upon delivery. Furthermore, the rules would greatly degrade the value of archived information to businesses in an age where information is often considered a corporation's greatest asset.
The following paragraphs look at the issues surrounding the use of WORM (in particular, optical WORM), and why the proposed rules are insufficient to handle the coming tidal wave of information that must ultimately be administered under these rules.
Information Growth is Outstripping our Capability to Effectively Archive It
The specification that records be retained on non-erasable, non-rewritable media is a prescriptive rule. It effectively dictates the technology that these records can be stored with, i.e., optical platters or proprietary tape cartridges (specifically, the STK VolSafe). Unfortunately, this technology has become largely obsolete as the volumes of information have grown exponentially. For example, we see the next generation of DVD CD-ROM able to store 10 Gigabytes (GB) on a 5-inch optical platter. It would take over 3000 of these platters to hold the capacity of a single high-end disk subsystem utilizing the next generation of disk drives (180 GB/disk drive). In 2002, disk drive technology will have advanced to the point that 10,000 optical platters will be required to store the contents of a single high-end disk subsystem. Managing this volume of media is expensive and onerous to the firms wanting to use Electronic Recordkeeping.
Retaining the Value of Information
Archiving information off-line significantly erodes the value of the information. Today's WORM devices take a very long time to access (by electronic standards, thirty seconds is a lifetime). There is a realization by most companies that information that would otherwise be archived can be used for marketing initiatives, online-fraud detection, measuring customer behavior (be it an end-user customer or a firm), etc. By keeping information on-line and readily accessible, it can be used to perform these tasks. It is virtually impossible to do significant processing of information that is not accessible in real-time, i.e., the delay of a robot mounting an optical platter (assuming the platter is even under automated control) may make processing the information on the platter infeasible. Even the latency of access when a tape or platter is online may preclude significant processing of the information.
The Rules must allow Technology to Evolve
Prescribing WORM technology actually works against long-term retention (and, more importantly, access after long-term retention). Quite simply, as WORM devices improve, it is very difficult to migrate information from one generation of the technology to another. This may result in years of obsolete platters that do not have device capable of reading them. Migration of information is essential if the latest storage technologies are to be used. Optical platters are notoriously difficult to migrate because of their slow transfer rate and the fact that not all the media can be accessed simultaneously (in fact a very small percentage of the media is ever on-line at any point in time). Given the incredible rates of change of storage technology (2-3x increase in storage density every 12 months), it is essential that the Recordkeeping Requirements not preclude ready migration of information from one storage technology to another.
WORM does not ensure Immutability
Migrating data is of concern since it provides an opportunity for the information to be modified (accidentally or even maliciously). In fact, this situation exists with current WORM technology. Information invariably exists on rewritable media before it is transferred to a WORM device. Today there is no assurance that the information is not modified on its path from rewritable media to WORM. There are opportunities for it to change at any number of points. Furthermore, even when written to WORM, who is to say that an unscrupulous operator can't copy a piece of media (modifying some portion of it in the process). He can then replace one piece of media for another (e.g., replacing one of the three thousand platters discussed above that are not under any automated control).
To understand why WORM should not be prescribed, it may be useful to look at alternative approaches to see how we can preserve more of the information's value and increase the retention and "auditability" of the information.
The focus of the SEC rules should not be creating an immutable copy, but creating a copy that can be verified as authentic. For example, we can imagine an E-mail system that digitally "fingerprints" a message that has arrived. This fingerprint ensures that if the message is modified anywhere along the path from the server that has received it to the ultimate archive destination, the modification can be detected. Note that fingerprinting does not necessarily prevent the modification from being made. It does, however, allow an auditor to detect the modification, which is essential in preventing fraud. As mentioned above, current rules do not prevent modifications of information along the chain from inception to archival. Nor do the current rules prevent loss of information, even after being archived. Since it will inevitably be the case that today's WORM media is ejected from automated control, the likelihood of losing information because of media failure is actually high (oops...I dropped this platter...).
Another approach to securing information is to keep a copy of the information at a neutral third-party site. Today's communication technology can allow this replication to occur at electronic speeds. The third party could then be responsible for archiving the information that it receives in such a way that it can be authenticated, and that it can be immediately accessible. EMC understands that the Commission has considered this approach and found it wanting with respect to privacy. This is understandable but also could be addressed with appropriate encryption models and key management tools.
Avoiding Prescriptive Rules
Rather than prescribe a technological solution to information management (i.e., write the information on non-eraseable, non-rewriteable media), it may help to return to first principles. The goals of the SEC rules include:
1. Long-term retention and access to records
2. Detection of fraud, including forged or illegally modified records
A corporation adhering to the SEC rules also has goals including:
3. Make information more useful, and therefore an asset rather than a liability
4. Scale their organizations to handle their ever expanding amounts of information
The challenge is to provide enough structure in the rules to ensure that goals 1 and 2 are met, without squelching goals 3 and 4. The advantage of meeting goals rather than prescribing technologies is that the rules become technology agnostic and as technology advances, the rules can be applied to the latest developments in the industry. For example, if the rules allowed fingerprinting as a suitable authentication mechanism, it could create a cottage industry of record management companies (e.g., IXOS) that satisfy these rules.
Perhaps a Recordkeeping rule should be phrased more in terms of:
1. Records shall be accessible for n years.
2. Records shall be indexed (though it is not clear what fields in the record constitute the keys of such an index; this is ambiguous in the current rules).
3. A record can be verified as having not been modified or deleted. Verification must unimpeachably determine that a record has not been modified from the point in time when the record leaves control of the originator (e.g., an E-mail message should be able to be verified that it has not been modified after the composer of the message sends it). It may be possible to have levels of compliance, e.g., fingerprinting a message upon sending it may be a stronger level of compliance than archiving to an optical platter since the fingerprint is derived closer to when the record has left control of the originator.
Of course the tough part is the unimpeachable part of verification. The current rules try to achieve this by prescribing a technology that should be hard to cheat. But in fact, it is extremely difficult to specify qualities of a solution and to quantify how well that solution prevents cheating. As we pointed out earlier, it is feasible to cheat with optical platters (either before or after the information has been archived to the platter). Ultimately, this needs to be solved with a process. A technology needs to be presented to a panel of "experts" who can credibly assess the risk factors of the technology and then bless it. In this way, a mechanism has been established that allows technology to evolve quickly while still retaining some control over the risk of that technology for information retention.
This memo has tried to illustrate some of the shortcomings of prescribing technology for document retention for Transfer Agents. Instead we recommend that criteria and processes be established that allow solutions to be evaluated as to whether they achieve the goals of the SEC. As technology unabatedly continues to increase in capacity and capability, flexibility in the rules of the SEC will be crucial if the rules are to avoid obsolescence.