S
SOX doesn’t define what storage media is allowed. As Senator Sarbanes indicates ‘that’s for the courts to decide’ SOX states the penalties for not being able to produce data as:
Title VIII: Corporate and Criminal Fraud Accountability Act of 2002.
It is a felony to ‘knowingly’ destroy or create documents to ‘impede, obstruct or influence’ any existing or contemplated federal investigation.
Auditors are required to maintain ‘all audit or review work papers’ for five years.
Title IX: White Collar Crime Penalty Enhancements
Maximum penalty for mail and wire fraud increased from 5 to 10 years.
Creates a crime for tampering with a record or otherwise impeding any official proceeding.
Section 1102: Tampering With a Record or Otherwise Impeding an Official Proceeding
Makes it a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding is liable for up to 20 years in prison and a fine.
Further, SEC CFR 240 17a-4 indicates :
Electronic records must be stored on non-rewritable and non-erasable media.
The system must ‘verify automatically the quality and accuracy of the storage media recording process.’
The organization using electronic records must provide regulators with ‘facilities for immediate, easy readable projection or production of electronic storage media images and for producing easily readable images.’
The system must ‘store separately from the original, a duplicate copy of the record.’
An article at TechRepublic points out deficiencies regarding email:
The scenario is common: A company gets a new Microsoft Exchange server, and the users are happy with the Outlook calendar and Internet e-mail capabilities. Messages go in and out, but there is no archival process. Backups are sent to tape, which are rotated weekly and overwritten. However, according to Sarbanes-Oxley, if your network administrator is instructed to overwrite the tapes, then your company knowingly allows potential evidence to be destroyed. Depending on your business risks, this scenario could become a malpractice time bomb. In addition, a simple backup of the Information Store with all the mailboxes in your Exchange server will not give you all the e-mails going in or out. So you are at risk when users delete messages, especially if they are engaged in some kind of misconduct.
I don’t think tape is a media for long term storage. You can write over it and you can erase it. In the best environments, there is a strong possibility the tape will bleed through and be unusable.
Unfortunately, the courts have already indicated that ‘a nice try’ when attempting to recover subpoenaed data is unacceptable.