Once upon a time, the way in which an organisation managed and protected its data was largely driven by the need to ensure continuity in the event of an IT crash. If a hard drive failed or some other catastrophe occurred, would you be able to get your systems up and running again with minimal disruption? More recently, however, data management has taken on another role. In the increasingly regulated business environment, sound data management practices have become essential for meeting and managing compliance. How an organisation stores and disposes of its electronic records has become just as important as its ability to restore data.
In Australia alone, across state and federal levels there are numerous Acts relating to the storage and safe disposal of business records and personal data including Privacy Acts, the Anti-Money Laundering and Counter-Terrorism Financing Act, the Tax Act and the Trade Practices Act.
For example, the Commonwealth Corporations Act 2001, Section 1306, states: “A corporation must take all reasonable precautions, including such precautions (if any) as are prescribed, for guarding against damage to, destruction of or falsification of or in, and for discovery of falsification of or in, any book or part of a book required by this Act to be kept or prepared by the corporation.”
In other words, to comply with the Act, business has to protect against accidental loss or damage of certain data. Failure to do so can result in fines of up to $1 million for the organisation and up to $200,000 for individuals. Then there's the damage to reputation to consider. Regulators tend to embrace the opportunity to publicise compliance breaches as it helps to encourage others to do the right thing.
And this is just within Australia. If you are dealing internationally, you may have to comply with the European Union Data Protection Directive, the UK Data Protection Act 1998, the US Patriot Act, Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act and the list goes on.
It starts with a backup
Despite the potentially hefty penalties, data loss is a problem that plagues many companies. According to a recent survey of over 900 IT managers from across Asia-Pacific, nearly half of the survey respondents admitted to data loss in their workplace within the last two years. It's an indication that backup routines are either being ignored or are failing.
One issue raised by the survey is the importance of revisiting and regularly updating backup procedures to deal with new technologies such as virtualisation and Citrix. Just 52% of the IT managers had reviewed their contingency plans within the last 12 months.
Forty one percent test their ability to restore data from backups on a monthly or more frequent basis. Small businesses are the worst at this, with 35% stating that they check restoration “sporadically, with no time frame”. Nearly one quarter of companies acknowledged that their data is only productive for one day, yet they back up every three days or less. The result is a backup frequency that does not match business requirements for restoration.
It ends with disposal
Compliance also has a big impact on data retention and disposal policies. The Corporations Act requires that certain financial records be kept for seven years. Under the Tax Act, some corporate records are only required for five years, while in some situations, the Trade Practices Act stipulates an 11-year retention period. Knowing what data should be kept and for how long would seem to be a modern-day basic business requirement. Yet only just over half of all companies surveyed - and less than half of the small companies - have a data retention policy.
At the other end of the spectrum, when data is no longer required, it needs to be disposed of in a controlled manner. This must be done in such a way that the information is permanently erased and cannot be retrieved. According to the Kroll Ontrack survey, the most common way of achieving this is through data erasure software. Others destroy their old storage devices, while approximately one fifth of respondents use demagnetising devices.
However, nearly one quarter of all respondents have no formal policy for erasing sensitive information. It means that sensitive or private information is not being fully protected and it is an oversight that could prove a company to be in breach of numerous legislative and industry regulations.
Benefit or burden?
There's no doubt that achieving compliance requires focus and attention to detail. What many companies do not appear to recognise is that reliable data management practices and processes are an integral part of that effort.
One way of ensuring that data management gets the attention it deserves (without distracting IT staff from their current undertakings) is to outsource day-to-day data management processes to a third-party data service provider. Such organisations serve the dual purpose of taking on the hard work while focusing an organisation's attention on the need to mitigate against data loss. They help companies to understand that data loss is not an IT issue. It's a compliance risk.
*Adrian Briscoe, General Manager - APAC, Kroll Ontrack.