BellSouth Corp. knows how to work in a regulated environment, having had the government involved in its telecom business since its earliest days. Nevertheless, meeting the requirements of the Sarbanes-Oxley Act has added business-technology costs, in part because the IT department supports a group of auditors who review internal financial controls for compliance.

"Sarbanes-Oxley is going to cause us to expend resources," CIO Fran Dramis says. "These are new rules. To some extent, we'll have to learn as we go."

For many companies, Sarbanes-Oxley isn't the only new compliance challenge complicating the lives and budgets of business-technology executives. The USA Patriot Act, the Health Insurance Portability and Accountability Act, and the California Security Breach Notification law are hitting companies with tsunami-like force. This year was rife with deadlines for these laws and regulations, each requiring changes and additions to the business technology and processes that companies use to comply.

HIPAA's privacy provisions went into effect April 14 for large health-care services providers. On Oct. 1, financial-services companies had to have upgraded customer-identification programs in place under the USA Patriot Act. By Oct. 16, health-care providers and health plans are supposed to be using HIPAA's electronic-transaction formats. And it doesn't stop with the new year. On April 14, small health-care providers and insurers must comply with HIPAA's privacy policy. A provision of Sarbanes-Oxley goes into effect June 15, requiring public companies to issue assessments of the internal controls they use for financial reporting. Then, HIPAA's security provisions go into effect February 2005, and the Basel II accord, which sets global risk-management standards for banks, is scheduled for 2006.

Faced with a proliferation of regulations, CIOs, CFOs, and other executives are puzzling over how to deal with the demands and costs of complying while finding ways to squeeze business value from these efforts.

Seven out of 10 respondents to an InformationWeek Media Network Research survey of 650 busi- ness-technology executives say their companies will spend more on technology to achieve compliance this year than last (see chart, above). The same number say their companies use storage-management software, document-management systems, data backup-and-recovery systems, and electronic-communications- monitoring software for compliance (see chart, right).

Nearly half of respondents to the InformationWeek survey say they're taking steps to comply with Sarbanes-Oxley, second only to HIPAA, which has health-information-privacy provisions that hit health-care services firms particularly hard, but also affect all businesses that deal with employee health issues (see chart "Regulatory Focus").