From nukes to Sarbanes-Oxley

Iron Mountain used to store corporate records in preparation for nuclear war. CEO Richard Reese is now applying that expertise to tracking e-mail for regulatory compliance.

Ed Frauenheim Former Staff Writer, News
Ed Frauenheim covers employment trends, specializing in outsourcing, training and pay issues.
Ed Frauenheim
8 min read
Richard Reese has plenty of experience managing paper records, and he's trying to bring that know-how to keeping track of electrons.

For more than 20 years, Reese has been chief executive of Iron Mountain, a company that began in 1951 to store corporate records in the event of a nuclear war. Iron Mountain created a records storage center at a depleted iron ore mine in New York, hence the company name.

Since 2001, though, Iron Mountain has been pushing to store and manage customer records on computer gear as well. The company has invested more than $50 million in a "digital archives" business, designed to help clients comply with new data-handling regulations.

The Internet-based service aims to consolidate electronic records, such as e-mails, images and electronic statements, into an archive for quick and easy searches and retrievals. In addition, Iron Mountain offers to back up customers' data from server computers and PCs in case of a disaster.

The company has teamed up with storage titan EMC to offer e-mail-archiving products for securities firms and brokerages. Still, Reese is up against some stiff competition in his quest to marry the physical and electronic worlds. Data storage specialists such as IBM, Network Appliance, Veritas Software and Zantaz are also gunning to help customers comply with regulations and protect data.

But Reese claims that his old-economy company is well-suited to help clients in the newer digital world. After all, Iron Mountain has turned to technology to help it manage millions of boxes of records in the material world. "We have been big database operators for a long time," he said. "And we build most of that technology ourselves."

CNET News.com recently spoke with Reese about Iron Mountain's digital-records strategy and how lessons from the physical arena are being applied to the electronic realm.

Q: Why should companies trust you with all this technology, in terms of electronic records, when you are pretty new to the technology field?
A: For a couple of reasons. The first is the word you used: trust. We store more data for more companies, more organizations than anybody in the world. And we have built a reputation (of) being trusted to protect and manage that data.

I will not use names, but there are plenty of technology companies that I can guarantee customers would not trust to store the data. Beyond trust, you have got to know what you are talking about. We recruited a very good staff.

We have been big database operators for a long time, and we build most of that technology ourselves. So we have a total information technology staff of more than 300 people and spend a total of about $1 million a year on IT. Technology has always been an important part of our business strategy. We run in many decentralized sites throughout the world. Without technology gluing it all together, managing the business would be impossible.

You have warehouses around the country where you are storing the paper records?

Regulatory compliance and retention management, as you well know, is the name of the game today.
We operate out of about 50 million square feet of space around the world. That is over probably 700 locations. It is one thing to manage one warehouse with maybe 100,000 or 200,000 items in it. Try managing a warehouse with 4 million or 10 million items in it. An item misplaced is an item lost, when you have that many.

Do you make that argument to customers, when you go to their sites?
We make it in terms of what we spend and what we build and how we operate. Nobody in the world in our physical businesses spends this much on technology. That is one of our competitive advantages on the physical business. We can do some very interesting things for you--for storing a box of paper--that can help you be compliant. Regulatory compliance and retention management, as you well know, is the name of the game today.

We have been building technology to help people deal with that in the paper space. The theories and the business process in the paper space convert well to the digital space, because you have to meet the same laws and regulations.

The other element that we bring is the ability to manage what we call cross-assets. You have information in a digital form, like e-mails covering a subject, and you may have something like an e-statement covering that same subject, and you may have paper records on that subject. You come to our Web site, and you can do a search, and you can see what you have as cross-assets, and you can manage the cross-assets, and you can respond to a client's request.

So the client can go to your Web site, do a search for a particular document or e-mail, and ask for it?
Absolutely. In the physical business, you can come on our Web site, and you can search your database that we manage for you. It is typical Internet technology--drop it in a shopping cart, place your order, and tell us how fast you want it. We might put it in a truck and get it to you in two hours at one price; put it in a truck and get it to you by the end of the day at another price. If you wait until tomorrow, there is another price. If you are really in a hurry, we will scan it--it goes from paper to digital--and have it on the Internet for you in a matter of few minutes. You pay for your delivery based upon speed.

Can you tell me anything about the amount of revenue you generated from digital?
In 2003, our total revenues worldwide were about a billion and a half, and our total digital revenues were $10 million, maybe a little lower. We are just in the beginning stages.

We saw the vision and the need for this service, frankly maybe too early in the market. Everybody knows about Sarbanes-Oxley. What people do not know is that well before Sarbanes-Oxley, there were a whole host of trends all driving to the same place, and they all were driving toward more compliance obligations to keep more records.

Customers now all understand they have a problem. They are running around, scratching their heads.
Customers now all understand that they have a problem. They are running around, scratching their heads. They do not know how to solve the problem, and the market has not yet settled down as to what a right approach is. What is an appropriate e-mail retention policy? The answer is up in the air, and different companies have taken different approaches. But it will all settle down, and some of it will settle down through lawsuits and further regulations and so forth.

The question really is how tight versus loose you are going to start having to save these e-mails--or what is going to count as a document that falls under the regulations.
Absolutely. For the Securities and Exchange Commission-regulated companies, it is very clear. You have got to keep all client-related business e-mail for three years. But for the general corporate public, it is more of: What did you say in the e-mail? Because regulation speaks of keeping information based upon its subject matter content, not based up on its context or its format. And as you know, most people do not write memos at all, and almost as few write letters. It is all going out through e-mail. So there is a lot of content going through the e-mail system that is subject to regulation. The trouble is capturing them.

Do you guys have some of that intelligence software that tries to analyze the content in e-mail?
People have played with that so far, but to my knowledge, nobody is making that work yet. It may happen one day, but nobody has gotten there yet.

When do you expect to recoup the investment from your digital-services businesses?
We are nowhere near close to recouping the investments. I mean, we are two to three years out, probably, from breaking even. Look, this is a new market, and we have learned a lot in it.

Everybody in the technology space today is talking about doing this. Most of them talk about doing retention and archiving, and in spite of technology doing the job, it is hard to do archiving when you are doing lots of terabytes. We think that an offsite model has some advantages, but look, a lot of customers would want to do it themselves, and we certainly see that happening.

There are some companies that offer both online as well as on-site e-mail archiving.
We have an on-site partnership with Legato Software. You could fix a certain amount of e-mail that you might want to keep on-site over a certain time period, and if you so chose, then you could take the very old stuff and put it off to us. You may want to keep most of this e-mail for seven to 10 years, but your access to it is going to be random, and for most of it, never at all--hopefully.

We will drive your cost of storage down through the long haul. We are going to eventually put it to tape, and take that tape and put it into one of our vaults. We will do all that physical work for you. So what we are trying to do is marry our technology knowledge that we have learned with our historical skills, as good managers of physical information and physical items. If you are going to keep something long-term, this is the right way to do it, unless you just want to pay a lot of money for it.

Doesn't IBM have a similar kind of service?
I think that if IBM is going to do off-site storage, it will use Zantaz today. But I am sure that through its Content Manager and some of its other applications, they would do it for you on-site.

If you look out in the market space for document management, for records management, for content management, what you really see is a lot of silo applications. We are a firm believer that the world is going to be open architecture--that no company is going to buy one application across its whole geography worldwide to do everything. So all these applications are going to have to work together. Our vision, eventually, is opening up our systems so that if a customer wants to search ours and somebody else's at the same time, they can do that.

But across all of that, no matter whose technology you use, you have to install it with consistent retention rules, or you will be dead in court. The hard part is keeping consistency across applications and across what I call data pools. At Iron Mountain, we have a consulting business that will help you do that, and so we do not care if you use our technology or somebody else's--we will help you design the policies to meet your legal requirements.

So the important thing is to make sure that the company's policies are in order, and you can help them do that?
Not only to make sure that they are in order but also to make sure that they are consistently applied and implemented. The standard in the world now--and where the lawyers come at you--is: Did you apply that same policy to all the information, regardless of the location or format, in a consistent manner? That is hard to do.