Databases and Regulatory Compliance Challenges The advent of technology has increased the popularity of database usage in firms, yet the legislation regulating the field has yet to be finalized. The changing nature of the IT sector, coupled with the legislative traits, creates several situations in which the companies find it difficult to comply with the regulations. This paper recognizes some of those difficulties, and also proposes some solutions.

Databases

Regulatory challenges for databases

No sector in the modern day society evolves as rapidly as the technologic domain. And the innovations developed at this level come to impact all aspects of life, from the spending of the leisure time to the completion of the most challenging professional tasks.

The applications of technology within the contemporaneous society are numerous and complex, one specific example in this sense being represented by superior capabilities for data management. The management of the information integrates the multitude of tools and process focused around the collection of information, its adequate usage and storage.

One notable application in the management of information is represented by databases, which are collections of information, preserved and presented so that they are easily accessible to the people needing the information stored in them. The usage of databases has been characterized by some challenges, such as the need to possess high technological skills of the need to respect legal regulations.

At the level of the skills, it is now noticed that the databases have been developed throughout the years and they are now more user friendly; they do not as such limit their usage to people with high technical skills. While this limitation has then been addressed, the challenge raised by compliance with regulations remains still valid. And the main reason for this is represented by the fact that the domain is a novel one, and the laws to regulating it are still uncertain and under continuous development. Furthermore, the database usage and management are focused on intellectual property issues, which have yet to be adequately regulated by the legislations.

2. Databases

In a general formulation, the database is understood as a collection of data, which stores information and the information can be accessed by the people authorized to access the database. According to Margaret Rouse,

"A database is a collection of information that is organized so that it can easily be accessed, managed, and updated. In one view, databases can be classified according to types of content: bibliographic, full-text, numeric, and images" (Rouse, 2006).

From a technological standpoint, databases can be classified based on their purposes within the entity in which they are utilized. For instance, there is the relational database, which is a tabular database that allows the users to reorganize the contained information in any way that is relevant for their queries. Then, there is the distributed database, which is a database that allows its users to disperse it or replicate it among various points in a network. Last, there are the object-oriented programming databases, which are congruent with the features of object oriented programming.

Within the organizational setting, the databases are normally controlled by the managers, who grant access to other employees; the employees usually have the right to retrieve information from the database and to put information in the database. Some examples of information which can be stored in databases include customer profiles, sales levels, product inventories and so on.

While the employees and the managers are essential in the management of the databases, it must also be noted that these individuals are integrant parties in a larger system of database management.

"Databases and database managers are prevalent in large mainframe systems, but are also present in smaller distributed workstation and mid-range systems such as the AS/400 and on personal computers. SQL (Structured Query Language) is a standard language for making interactive queries from and updating a database such as IBM's DB2, Microsoft's SQL Server, and database products from Oracle, Sybase, and Computer Associates" (Rouse, 2006).

Databases are as such complex constructions which help manage information in the modern day society in an effort to attain the pre-established business or non-business related objectives. Still, despite the benefits they generate for the entities, they also raise some notable challenges, viewed mostly at the level of regulations. These will be addressed throughout the following section.

3. Regulatory challenges for databases

Databases are relatively new tools used within the business and non-business communities, and this novelty is also revealed in terms of its regulations. In other words, similar to any other aspect of information technology, the legislation to manage it is still being developed and continually changed. This is due to the fact that not all dimensions of database usage are known, and not all implications are considered by law makers. These efforts are nevertheless...

For instance, a law regulating the usage of the databases could be ambiguous, as it was unclear for the policy makers how the technological dimensions of database usage are interrelated with the legal aspects. The database users then face uncertainties regarding what is legal and what is illegal in the usage of the database.
Aside from the challenges raised by legal uncertainties, the regulatory challenges also refer to the continually changing nature of the database regulations. As it has been mentioned before, this trend is due to the novelty of the topic and the need to continually research it, identify its dimensions and regulate them. Nevertheless, while this process is justified at the logical level, it also creates some notable shortages for the users of the databases. These include the following:

Uncertainties linked to the emergence of new laws, and the need for the firm to comply with legislations it did not even know existed

The need to implement new and continually changing regulatory compliance aspects, which may lead to operational inefficiencies as more time and resources are allocated to database regulatory compliance, in the detriment of the core activity within the firm

The need to constantly review the legislation and identify new changes, which often materializes in the need to employ -- or at least contract -- a legal specialist. This need also reduces operational efficiency and generates additional expenditures.

Currently, the database usage is regulated by three specific sets of legislations, namely the Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB). The scope of these legislations is that of protecting information and they essentially seek to attain this goal by instating the need for internal audits that safeguard the integrity, confidentiality, availability and accountability of the data. The table below reveals some of the more notable regulations addressed by the current legislation:

Regulation

Risk area

Sarbanes-Oxley Section 302

Unauthorized changes to data

Sarbanes-Oxley Section 404

Modification to data, unauthorized access

Sarbanes-Oxley Section 409

Denial of service, unauthorized access

Gramm-Leach-Bliley Act

Unauthorized access, modification, disclosure

HIPAA 164.306

Unauthorized access to data

HIPAA 164.312

Unauthorized access to data

Basel II -- Internal risk management

Unauthorized access to data

Code of Federal Regulation Sec 11

Unauthorized access to data

Source: Altius IT, 2012

These regulations are commonly known by the auditors and accountants within the firms -- who nevertheless are familiar with audit processes, but may not know the insides of database auditing. Still, the internal controllers and accountants are better informed from the legal standpoint than the IT specialists. This is a notable problem within the different institutions, as they may come to situations when their IT staffs are unaware of the legal dimension of their activities, and they even come to break the law.

In order to avoid such situations, it is necessary for management to ensure legal training to the staffs in the Information Technology department and to as such ensure that the database operations completed by the firm are in full accordance with the legislations. To achieve this however, the firms have to allocate and invest additional sums of money, which increases their spending and may reduce their profitability. Nevertheless, it would be much costlier for the entities to risk legal infringements and the lawful and financial repercussions that come with them.

In such a setting, the firms normally seek to conduct their internal controls through which to ensure that they respect the legal stipulations. The focus of the controls in database usage normally falls on the following issues, all generative of challenges for regulatory compliance:

The storage of the database, referring specifically to the hardware devices and software applications, as well as the external services which may be used to store the documents

The creation of the database, understood as the ability of the database users to participate with information in order to create new documents within the database

The capture of data, understood as the metadata information that includes the date and time of the document, as well as its storage

The filing of the documents in the database, specifically the mechanisms employed in their filling and organization

The retrieval of information from the database, referring specifically to the indexing of the documents, their location in the database, their response times and so on The workflow in the database, which ensures that the documents in the…