What Are the Regulatory Consequences of Data Loss?
Regulatory compliance describes the goal that corporations or public agencies conform and comply with relevant laws and regulations. CFOs care about regulatory compliance because the consequences of not being able to prove compliance - these tend to range from corporate fines to in the most egregious cases involving loss of personal freedom.
Regulatory compliance tends to vary by locale; the more prominent regulations are specified in the sections below. Meeting regulatory requirements requires detailed planning, and selection of secure data protection and archiving solutions, such as Unitrends Certified Recovery Suite
SOX (Sarbanes-Oxley or Sarbox)
SOX is a set of regulations associated with all public companies in the United States. The applicable sections of SOX as it pertains to data protection include Section 103: Auditing, Quality Control, And Independence Standards And Rules
The Board shall: (1) register public accounting firms; (2) establish, or adopt, by rule, “auditing, quality control, ethics, independence, and other standards relating to the preparation of audit reports for issuers;” “The Board requires registered public accounting firms to “prepare, and maintain for a period of not less than seven years, audit work papers, and other information related to any audit report, in sufficient detail to support the conclusions reached in such report.”
Section 104: Inspections of Registered Public Accounting Firms
Quality inspections must be conducted annually for firms auditing more than 100 issues per year, orevery 3 years for all other firms. The SEC or the Board may order impromptu inspections of any firm at any time.
Section 105(d): Investigations And Disciplinary Proceedings; Reporting of Sanctions
All documents prepared or received by the Board are regarded “confidential and privileged as an evidentiary matter (and shall not be subject to civil discovery or other legal process) in any proceeding in any Federal or State court or administrative agency, ...unless and until presented in connection with a public proceeding or [otherwise] released” in connection with a disciplinary action.
Title VIII: Corporate and Criminal Fraud Accountability Act of 2002
“Knowingly” destroying or creating documents to “impede, obstruct or influence” any federal investigation, whether it exists or is contemplated, is a felony.
Section 802: Document Alteration or Destruction
This section instructs auditors to maintain “all audit or review work papers” for five years from the end of the fiscal period during which the audit or review was concluded. It also directs the Securities and Exchange Commission (SEC) to disseminate, within 180 days, any necessary rules and regulations relating to the retention of relevant records from an audit or review. This section makes it unlawful knowingly and willfully to violate these new provisions — including any rules and regulations disseminated by the SEC — and imposes fines, a maximum term of 10 years’ imprisonment or both.
Section 1102: Tampering With a Record or Otherwise Impeding an Official Proceeding
This section forbids knowingly altering, destroying, mutilating, or concealing any document with the intent to impair the object’s integrity or availability for use in an official proceeding or to otherwise obstruct, influence or impede any official proceeding.
FACTA (Fair and Accurate Credit Transactions Act)
FACTA is a United States federal law that allows consumers to request and obtain a free credit report once every twelve months as well as provisions to reduce identity theft. With respect to data protection, FACTA requires secure disposal of consumer information.
The requirement regarding secure disposal of consumer information means that the secure and timely disposal of applicable backup information must be able to be performed.
GLBA (Gramm-Leach-Bliley Act)
GLBA is a comprehensive United States law requiring all institutions associated with financial transactions to protect the security, integrity, and confidentiality of consumer information. GLBA affects an extremely wide range of organizations including banking institutions, insurance companies, securities firms, mortgage brokers, security firms, financial advisors, real estate brokers, collection agencies, tax preparers, and credit card companies.
The most pertinent GLBA requirements with respect to data protection are specified below (these are from the section of the law known as the “Safeguard Rule.”
Insure the security and confidentiality of customer records and information
To protect against any anticipated threats or hazards to the security or integrity of such records.
To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
FISMA (Federal Information Security Management Act)
FISMA is a United States act that mandates security programs for all organizations which possess or use federal information systems on behalf of a federal agency. The act holds senior management accountable for ensuring the timely implementation of security measures. By viewing IT security as a life cycle process, FISMA integrates security with overall IT management and maintenance processes.
Government agencies will soon be required to meet the standards published in the Minimum Security Requirements for Federal Information and Information Systems document, also referred to as FIPS 200. These standards, currently published by the National Institute of Standards and Technology as special publication 800-53, further detail the specific implementation requirements to heighten security within government information systems.
HIPAA (Health Insurance Portability and Accountability Act)
HIPAA is a set of regulations associated with the United States health care industry. The major applicable requirements associated with HIPPA are as follows:
Electronic personal health information (ePHI) must be protected against any reasonably anticipated threats or hazards.
Access to ePHI must be protected against any reasonably anticipated uses or disclosures that are not permitted or required by the Privacy Rule.
Maintenance of record of access authorizations.
If the data is processed through a third party, entities are required to enter into a chain of trust partner agreement.
ITIL (IT Infrastructure Library)
ITIL is a series of books developed by OGC (Office of Government Commerce, a part of the United Kingdom government) in response to the growing dependency on IT. The intent if ITIL is the encapsulation of a set of best practices for IT service management.
DPA (Data Protection Act 1998)
DPA is a United Kingdom Act of Parliament which defines the law with respect to data and the processing of that data on identifiable living people. It was enacted to bring UK law into line with the European Directive of 1995 which required Member States to protect people’s fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data.
The summary of the key principles of DPA:
Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offense for Other Parties to obtain this personal data without authorization.
Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary and must be kept up to date.
Personal information may not be sent outside the European Economic Area unless the individual whom it
is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organizations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner’s Office.
Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organizational measures (such as staff training).
Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)
How to Sell Backup to Your CFO
A CFO is a corporate officer primarily responsible for managing the financial risks of the corporation. Secondary responsibilities are financial planning, record keeping, financial reporting to both senior management as well as the board of directors. Given that job description, you would think that "selling backup" to a CFO would be the easiest thing in the world. You'd be wrong.
Thank you for your interest in How to Sell Backup to Your CFO