Your guide to WORM Compliant Storage
WORM: there are certainly sexier acronyms. But when it comes to data storage, we’re not talking about those muddy little bugs. In fact, WORM compliant storage exists to prevent hacking and bugging, and protect the integrity of your customer, staff and third-party data. Keep reading to find out exactly what WORM compliance requires, and how to go above and beyond to safeguard your data.
What does WORM storage mean?
WORM stands for write once, read many. It’s a method of data storage aimed at maintaining the integrity of the original information.
Thus, there are two principles that storage platforms must follow to meet WORM regulatory compliance:
- Not allow data to be edited, deleted or hidden after it’s been input (known as immutable storage)
- Enable easy access to archived data by multiple users within the organization under a retention period
These two principles literally help regulated companies to write the data once, and allow the electronic records to be read by many. In turn, this secures the confidential data of individuals and organizations, preventing it from being tampered with.
Who must comply with WORM storage?
WORM storage is the accepted standard for records management in regulated companies under both the financial trading and healthcare sectors.
Records in these industries are particularly sensitive, as they could contain an individual’s confidential medical details, for example. If edited, this could have disastrous consequences for misdiagnosis rates, death rates, and even health insurance policies. Likewise, information in the financial sector must remain safe and private, since it can affect mergers and acquisitions, company valuations, jobs and the wider economy.
Organizations in other sectors may also choose to become WORM compliant, as this is the leading method of archived data storage. In fact, at enterprise level it’s considered the gold standard. However, most of these businesses are not bound by regulation.
What are the WORM compliant storage requirements?
There are four essential requirements for WORM compliant storage programs:
- Only allow data to be written in once
- Prevent any user from deleting the data
- Keep records for both writing in the data, and accessing the data
- Allow anybody with the approved credentials
These requirements ensure that once entered, data cannot be tampered with by insiders. Moreover, the accessibility standards aim to prevent unauthorized access by external cybercriminals.
Extra security measures for data integrity
WORM-compliant businesses typically opt for added security measures as they further maintain the integrity of the data.
For example, employee training ensures that those with access to the data know exactly how to input it, read and use it when necessary. Archived data often sits for years without being touched. But on the off chance that it’s needed for an audit, teams must be able to quickly and easily find the right information. With regular employee training, companies can ensure that their employees are competent, and know the rules around the data.
Having defined responsibilities is one way to exercise internal control. Having an individual’s obligations clearly set out follows the four eyes principle; a way to segregate duties in sensitive systems to ensure that teams are checking each other’s work. This makes it much harder for an internal fraudster to operate – reducing the likelihood of data leaks.
Finally, regular scenario testing is a good idea to ensure that your WORM compliance is keeping up with the newest technology, and any emerging trends. For example, Equifax suffered from a huge data breach in 2017 due to a few mistakes:
- They failed to renew an encryption for an internal tool
- They also failed to patch up a vulnerability, where the solution had been available for six months
- Hackers found usernames and passwords in plain text, making them easy to extradite
- Its ecosystem was not segmented, meaning once in, the hackers could access the entire system
Scenario testing would have likely found these errors, preventing the data breach, which affected approximately 40% of the US population. Undertaking ongoing monitoring helps organizations to meet developing compliance demands, and protect their data from falling into the wrong hands.
Where did WORM come from?
WORM technology was initially developed in the 1970s, in order to develop a CD rom that couldn’t be written over. The technology was also used to archive other file types, safeguarding them and active files from tampering.
In the early 2000s, the WORM archiving method gained prominence and has since become the gold standard for many of the global regulations we know today. Honorable mentions include:
- SEC Rule 17a 4: a US-based data processing rule for broker-dealers in financial services
- Mifid II: a reformed regulation for economic trading in the European Economic Area
- HIPAA: the US’ primary healthcare information act
- GDPR: Europe and the UK’s internet and third party data sharing laws
- NARA: electronic information sharing requirements for agencies in the US
No matter where the business operates, it’s clear that those in the healthcare and finance industries that are guided by WORM principles in their data storage methodologies.
Non-compliance isn’t an option – and Global Relay can help
One of the most alarming cases of non-compliance to WORM storage affected Salesforce – a nearly $300 billion company. After becoming a third-party software supplier to children’s clothing company Hanna Andersson, the latter experienced a data breach.
The incident occurred in 2019, and was found to have been caused by:
- Inadequate classification of data (into the wrong risk level)
- Lack of internal controls, leading to widespread data access
With over 200,000 customers’ data leaked, the incident led to a $400,000 settlement and impacted both of the company’s’ reputations.
As mentioned, healthcare and securities are the only two industries where WORM data storage is mandated. But for cloud storage companies like Salesforce, WORM is a bit of a no brainer. It’s the leading method of data storage, and would have been beneficial for the organization to follow.
That’s where Global Relay comes in. We operate an all-in-one archive that keeps you compliant, informed and in control. With dual encryption and integrity checks, customers benefit from confidence in their records – and our AI enrichment means that they can gather the insights they need, quickly.
And of course, the archive meets the likes of the SEC, MifiD II and FINRA worm compliance requirements. Reach out to the Global Relay team for a bespoke demo.