Compliance Mandates are increasing with EU's GDPR
New mandated federal laws make compliance a critical component in the management of all business records. Business records are any record, electronic or otherwise, that provides evidence of a company's business-related activities, events, and transactions.
This means the following:
- Electronically stored information - including email messages, attachments, and other data is discoverable and may be used as evidence for or against your organization in litigation.
- Business records email and other electronically stored information that is related to current, pending, or potential litigation must be retained, archived, and produced in a timely and legally compliant fashion during discovery, and the evidence-gathering phase of litigation.
- Businesses are allowed to routinely purge electronic archives of data that is not relevant to ongoing litigation or pending cases. However processes have to be in place to halt this destruction when litigation begins or is anticipated to begin.
- Writing over backup tape once litigation is underway may constitute virtual shredding and lead to allegations of spoliation, or the illegal destruction of electronic evidence.
- To be accepted as legal evidence, email and business records must be preserved and produced in a trustworthy, authentic, and tamper proof manner.
Cost of Non-Compliance
Today, more than ever, companies are confronted with a broad array of electronic document issues, including data retention policies and e-discovery during litigation. Failing to comply with rules regarding such electronic data can cost millions of dollars.
For instance in one case, the SEC alleged that defendant failed to produce tens of thousands of emails sought by the SEC in two investigations. The court entered an 8-page consent judgment against defendant. Three of the major points in the judgment were:
- Defendant was ordered to pay $15,000,000
- Defendant was permanently enjoined from violating Section 17(b) of the Securities Exchange Act of 1934 (requiring a prompt document production, including electronic documents); and
- For one year, Defendant, at its own cost, was ordered to hire an independent consultant (acceptable to the SEC) to review and evaluate defendant's policies, procedures, and training in order to comply with the judgment. The independent consultant could make recommendations which must be adopted by Defendant.
Whether it is government agencies, research facilities, banking institutions, credit card processing companies, hospitals or your company's computers - the risk of compromising private information is very high -- especially when when conducting a disaster recovery tests. Since business relies so heavily on technology today, business risk becomes technology dependent. The possibility of litigation is part of business. It has always been a risk of doing business, but because technology and today's business are so intertwined, business risk has a higher threat level. This has prompted many to encrypt workstations and mobile computers in order to protect critical business data
If you have rolled out encryption, how do you maintain your IT service quality when the hard disk drive fails? How do you plan and prepare for a data loss when the user's computer is encrypted? These are all issues that should be considered when putting together a data disaster plan. In addition, data recovery, one of the more common missing elements of a disaster recovery plan, should also be factored in because it can serve as the last ditch solution when all other options have been exhausted.
Data Recovery and Encryption
Business continuity and disaster planning are critical for businesses regardless of their size. Most archive and backup software have key features to restore user files, database stores and point in time snap-shots of users files. Software is becoming more automated so users don't have to manually backup their files. Some computer manufacturers have built-in backup systems that include dedicated hard disk drives for archive storage. Most external USB hard disk drives have some sort of third party software that provides data archiving during a trial time period. Such solutions, while solving the data backup need, create questions regarding how effective the systems are with respect to user data. What are your options when a user's computer has a data disaster and the hard disk drive is fully encrypted?
Most IT security policies require a multi-pronged approach to data security. For example, when setting up a new computer for a user, the IT department will require a BIOS (Basic Input/Output System) password for the system before the computer will start. BIOS password security varies in functionality. Some are computer system specific, meaning that the computer will not start without the proper password. Other BIOS passwords are hard disk drive specific, meaning that the hard drive will not be accessible without the proper password. Some computer BIOS employ one password for access control to the system and the hard disk drive. To add a second level of protection, new IT security policies require full hard disk drive encryption. The most common of full hard disk encryption software operates as a memory resident program. When the computer starts up, the encryption software is loaded before the operating system starts and a pass-phrase or password prompt is required. After a successful login from the user, the software decrypts the hard disk drive sectors in memory, as they are needed. The process is reversed when writing to the hard disk drive. This leaves the hard disk drive in a constant state of encryption. The operating system and program applications function normally, without having to be aware of any encryption software.