Record Keepers' Bane
Is Tech Sector's Boon

Uncle Sam is cracking down.

For much of U.S. business, these and other elements of Washington's new regulatory requirements translate into costly misery. But for the beleaguered high-tech sector, there is a silver lining: a new selling opportunity.

Purveyors of computers and software are offering new products tailored to regulatory compliance. Because many of the new enforcement actions relate to record-keeping, the biggest beneficiaries may be data-storage vendors -- including EMC Corp., International Business Machines Corp., Hewlett-Packard Co.; and Hitachi Ltd.

When introduced last year, EMC's Centera storage system was touted as a new way to archive unchanging data, such as images of canceled checks, on cheap hard disks. But after realizing the opportunity in the heavy hand of regulation, EMC released a new version, called "Centera Compliance Edition," which sports such features as automatic purging of records the moment they have passed their mandated retention date. "We gave it a new personality type," says Roy T. Sanford, an EMC vice president. And a new price: Compliance costs 15% to 20% more than plain-vanilla Centera.

Raymond James Financial Inc., a financial-services firm based in St. Petersburg, Fla., bought six terabytes of Centera storage -- enough to store the equivalent of 500 billion typed sheets of paper -- largely to archive the company's e-mail and transaction data.

Storage vendors say brokerage houses became increasingly alarmed about record-keeping in December, when the SEC fined five Wall Street firms -- including Morgan Stanley and Goldman Sachs Group Inc. -- $8.25 million for shoddy e-mail retention. The SEC invoked its Rule 17a-4 in the action, which requires that e-mails and other records be kept for three years, stored in a format that can't be overwritten or erased, and made readily accessible if regulators ask for them.

OPPORTUNITY KNOCKS Technology companies are hawking new products tailored to helping customers comply with strict regulatory rules. A sampling: • EMC: The Centera Compliance Edition can automatically lock files, then purge them as soon as regulations permit.   • Ethicspoint: Developed a Web-based system for reporting accounting fraud.   • IBM: Using the new health-industry law to convince hospitals to store more records electronically on IBM equipment.   • Network Appliance: Added a feature to its data-storage units that can prevent alterations to files.   • Saflink: Its "biometric" security devices are used to screen access to private patient records

If lawyers wanted, say, all e-mails sent by a certain person containing a certain keyword, it would take weeks on older storage systems that use jukeboxes of optical disks much like CDs, says Karl Schoellnast, vice president of information at Raymond James. Because data can be stored on hard drives in the new EMC system, retrieval takes minutes.

Peter Gerr, an analyst with Enterprise Storage Group of Milford, Mass., notes that four highly regulated industries -- health, life sciences, defense and financial services -- are among the hungriest consumers of storage space for content that doesn't change, such as archived e-mails.

Health care is a big target market for IBM, which is banking on the Health Insurance Portability and Accountability Act to goad more hospitals into storing MRI and CT scan images -- voracious consumers of disk-space -- electronically instead of on film. A provision of HIPAA that went into effect April 14 requires hospitals to have a system that keeps a log whenever any part of a patient's record is accessed for certain nonmedical purposes -- a task that is painful if the records are kept on paper or film and scattered across a hospital.

Covenant Health, a hospital system in Knoxville, Tenn., spent about $500,000 to put in place a 25-terabyte IBM storage bank to handle its patient records, says Frank Clark, chief information officer. Another provision of HIPAA requires that all electronic patient information be secured. That means any e-mail sent outside the hospital that includes even a whisper of patient data must be encrypted. HIPAA, says Mr. Clark, "is our Y2K."

Other vendors are also marketing their products as compliance-friendly. Hitachi's storage unit, a big EMC and IBM rival, last year introduced a feature called LDEV Guard that allows files to be permanently locked onto a disk in its mainframe storage systems, a solution the company says complies with the SEC's data-retention rule. Network Appliance Inc., of Santa Clara, Calif., released a similar product called SnapLock last week.

It isn't just storage and record-keeping systems that are required. Dozens of small entrepreneurs are savoring a tasty nugget in Section 301(4) of Sarbanes-Oxley, which requires public companies to provide employees an anonymous, confidential way to blow the whistle on co-workers for accounting shenanigans.

Report it on the Net Inc., a small Long Island outfit experienced in running hot lines to report occupational-safety infractions, has been advertising its ability to switch that system to reporting accounting fraud. "Our application is just a natural fit," says president Anthony Lavalle.

Closely held Ethicspoint Inc., of Portland, Ore., says sales of its Web-based infraction-reporting systems have been growing briskly since Sarbanes-Oxley. Chief executive David Childers says more than 100 companies have purchased Ethicspoint's service for Sarbanes-Oxley compliance since last year, including Dial Corp. and Charter Communications Inc.

When an employee submits a claim of accounting malfeasance, the report is kept securely on Ethicspoint's computers, and can be accessed only by designated senior officials at the company -- unless those officials are named in the complaint, in which case the system can block access and notify outside counsel.

Mr. Childers says only a complaint system operated by a third-party vendor will be trusted by employees worried about reprisals. "It's hard to get your employees to believe that a system wholly owned and operated by management is anonymous and confidential," he says.

Write to Charles Forelle at charles.forelle@wsj.com