Key Compliance Elements: Data Retention, Recoverability, and Disposition
(27/06/2007)

Regulations like Basel II, HIPAA, and Sarbanes-Oxley apply enterprise-wide, there is no exclusion for remote offices. So even if you’ve spent millions of dollars and countless weeks securing your data center, it may not be enough to pass a compliance audit. You also need to secure remote and branch office (ROBO) data—or it could turn out to be your company’s Achilles heel, a costly area of vulnerability in an otherwise compliant organization.

When it comes to data retention, there are no more casual Fridays—it’s buttoned-down, serious business with potentially grave consequences for non-compliant records protection and retention. And compliance regulations don’t distinguish between data center and remote office data—if it’s one of your sites, it’s your data and you’re responsible.

So what exactly are the consequences of non-compliance? To your company, non-compliance can mean financial penalties, reduced stock value, loss of customer confidence and lost sales revenue. But it’s the personal costs that can be the most fear provoking. Non-compliant behavior can mean job loss, financial penalties, and yes, even handcuffs—miss the boat on HIPAA regulations, for example, and you could find yourself up the river for five to ten.

Think it could never happen to you? Consider these sobering facts and events:

§ The New York Data Law states that failure to disclose data breaches can result in fines up to $150,000. Similar legislation applies in California, and nearly two-dozen other states are debating or have passed legislation that forces companies to reveal unauthorized access to information. With these laws in effect, more and more companies, including the likes of Marriott, Wachovia and Bank of America, are facing the very negative and public consequences of lost computer tapes and other data breaches.

§ In February 2006, U.S. investment bank Morgan Stanley offered to pay $15 million to resolve an investigation by U.S. regulators into the bank’s failure to retain email messages. Email took center stage in a $1.58 billion judgment against the company in a case that centered on the firm’s inability to produce email documents—the firm said that backup tapes had been overwritten.

§ In Zubulake v. UBS Warburg, a gender-discrimination suit, the judge instructed the jury that it was legitimate to presume that the information Warburg couldn’t provide due to lost backup tapes and emails was probably damaging to the company’s case. Zubulake was awarded $20 million.

Heard enough to take action? The good news is that there’s plenty of help available. Technology vendors are offering an increasing portfolio of solutions to help enterprises address issues of compliance. While the program that works best for each organization will most likely be a customized blend of platforms, applications, media, etc., every technology solution should integrate a mechanism for protecting ROBO data. Otherwise, no matter how much your company invests in securing its data center, your remote office data could turn out to be your Achilles heel, putting you at risk for serious non-compliance penalties.

Whether you choose to implement your own ROBO backup/recovery solution or contract managed offsite backup services through an IT Service Provider, you will need mechanisms for data retention, recoverability, and disposition.

Here is what you should look for:

§ Secure, long-term data protection. Retention periods can range from a few years to 30 and more. Sarbanes-Oxley, for example, states that companies must save electronic records and messages (email/InstantMessages) for at least five years to ensure that auditors and other regulators can easily obtain requested documents. Basel II requires banks to maintain three to seven years of data history.

§ Fast data accessibility and recoverability. Many companies admit that with their existing tape backup/recovery systems, responding to a request for data might take days or weeks. Protracted searches can mean not being able to satisfy regulatory requests or not producing data in time to fend off litigation.

§ Controllable disposition of data. Destroying data on time is just as important as securely retaining it. Backup Lifecycle Management (BLM), a term coined by Asigra, is a critical element of controlling backup and archive (non-active backups) copies of data as part of the total lifecycle of the data. If you think you’ve destroyed certain data, but there is a long-lost backup copy left behind, it could impose unnecessary risk. Being able to align your backup retention policies with primary data retention policies is essential.

Asigra D2D backup and recovery technology addresses each of these critical requirements, enabling cost-effective data protection, rapid recoverability, and seamless backup lifecycle management of remote office data.

The Asigra Televaulting disk-to-disk (D2D) software solution offers a highly reliable, high-speed replacement for legacy tape-based remote site backup/recovery systems. Designed with a focus on fast data recovery at remote sites, the Asigra Televaulting solution offers a unique agentless design, plus hard-coded security and WAN optimization techniques that differentiate it from competitive D2D backup consolidation software products. Simple to set up and manage, the Asigra solution offers bottom-line benefits that range from lower administrative costs to pay-as-you-grow scalability. Emphasizing data recoverability, the Asigra Televaulting solution helps organizations with geographically distributed sites secure ROBO backup data and reduce the risk of non-compliance.

Asigra Televaulting software can help companies achieve ROBO data protection on par with the security afforded within the enterprise data center. Asigra technology integrates compliance-related features and functionality that differentiate it from competitive products.

Many companies remain immobilized amidst the fear, uncertainty, and doubt that surround Basel II, HIPAA, Sarbanes-Oxley and other regulations. But the only appropriate approach is to take action. For all the examples of costly breaches, there are many more not-so-public cases of audit success. Businesses are already demonstrating that with the right backup/recovery solution, compliance can be achieved quickly, economically, and reliably.

Asigra Televaulting customers have proven that remote and branch office data can be secured with confidence as a corporate in-house solution or as an outsourced managed service, and that ROBO data does not have to be the Achilles Heel of enterprise compliance.