Develop a Backup Strategy with Compliance in Mind

The growth of data within businesses of all sizes – and even solely personal devices – is amazingly big. You’ve got extended networks that incorporate your traditional network behind your firewall, your mobile network, your cloud, your third parties and so on — the amount of data that any type of organization is creating is mind-boggling.

Today’s work realities mean this stored data and backups are subject to an ever-growing list of regulatory and legal frameworks. These govern how data can be stored, who has access to it, and its integrity, all through its lifecycle. Oftentimes, industry specific regulations are difficult to understand for those in the relevant field, and even more difficult for a business leader working with clients across industries to keep track of them all.

To help you out, here are some of the requirements of a few of the more common industry specific regulations, and how they relate to backup and disaster recovery – for full details check out each regulation’s webpage:

  1. SOX (Sarbanes-Oxley Act): Regulating all public companies’ financial transactions, SOX includes rules regarding the retention and control of electronic records.
  • Records must not be destroyed, altered or falsified: Having accurate electronic records and backups of those records is necessary for those required to comply with SOX regulations.
  • Keep retention periods in mind: Depending on the type of data, records need to be maintained for five-seven years. To maintain data integrity, storing the data on one local hardware may not be enough; an additional storage point is encouraged to be considered.
  1. HIPAA (Health Insurance Portability and Accountability Act): Regulating those in the health care industry and their business associates, HIPAA includes a series of standards for the way personally identifiable patient data is handled. Some of these include:
  • Data must be recoverable:  Covered entities must be able to fully restore an exact copy of data if it is lost.
  • Data needs to be stored offsite: In case of a disaster such as a fire or flood, local backups will not suffice.
  • Backup and recovery plans must be documented: When dealing with HIPAA covered entities, written procedures of backup and recovery plans are a requirement.
  • All recoveries must be tested: In order to ensure backups are working properly, regular testing is required on all backups of patient data.
  • Data must be encrypted during storage and transfer: Many covered entities and business associates have trouble with this provision because older methods of backup, including tapes and disks, are moved freely and unencrypted.
  1. FINRA (Financial Industry Regulatory Authority, Inc.): FINRA is an organization that handles member regulation, enforcement and arbitration for the New York Stock Exchange. Covered entities include brokerage firms and exchange markets.
  • Businesses must create and maintain a Business Continuity Plan (BCP):This includes data backup and recovery, both electronically and hard copies. The firm’s BCP must address any relationship with outside vendors that provide part of their services.
  • Required to disclose a summary of business continuity: In order to help customers make educated decisions about who to invest money with, financial firms must disclose a summary of their business continuity plan. In the even that something should disrupt future business, the firm must have a plan to respond and maintain operations.
  • An annual review must be scheduled: The firm’s BCP must be reviewed by a designated member of senior management each year.

Do you encounter these or other regulatory compliance concerns? We can help you and give you full details on what you need to keep in mind. For all your data backup needs, check out SpiderOak’s backup solutions.