Compliance is becoming a larger challenge for US enterprises, particularly their IT departments. Mandates are demanding the correct handling of data, and therefore have a major voice in how data backups, storage, and disaster recovery tasks are performed. And it now appears that a major new mandate will be here in 2020. How can IT be prepared for data backup and recovery mandates that are still being developed? By meeting the most stringent mandates in effect today.
One of the first national mandates was SOX. SOX (Sarbanes-Oxley Act) went into effect July of 2002. Designed to curb financial fraud and to improve accountability, companies were mandated to automate financial processes previously done manually. IT and Finance were required to find and eliminate manual steps. Secondly CIOs were required to adopt “policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.” Undesired events includes computing downtime and data loss that can impact the creation and reporting of financial results.
Then came HIPAA in April 2003. HIPAA is serious business for healthcare and their business associates, centering on protecting personally identifiable information (PII) and/or protected health information (PHI) from exposure or theft. The U.S. Department of Health & Human Services strongly enforces HIPAA. Fresenius Medical Care North America agreed to pay $3.5 million in early 2018 to settle HIPAA violation charges. Even declaring bankruptcy does not let enterprises avoid non-compliance fees as in 2017 21st Century Oncology agreed to pay $2.3 million to HSS even after declaring bankruptcy. HIPAA’s data management mandates are the most stringent.
GDPR and its detailed requirements for handling EU citizen data, just went into effect in May, 2018 and has impact on US companies. Even if your US-based organization does not formally do business in the EU you are required to treat EU data by GDPR standards. Any U.S. company that has a Web presence (and who doesn’t?) and markets their products over the Web are subject to its rules. For US companies who collect, maintain, or process the personal data of individuals located within the EU, GDPR compliance is compulsory. GDPR has serious ramifications for how data is backed up, stored and destroyed.
We are all about to come under the mandate of The California Consumer Privacy Act, or CCPA that will go into effect in January, 2020. Considered the GDPR of the US, it is being written to ensure consumers know the data collected about them and how that data is being used. It will give consumers the option to opt out. In addition, CCPA has specific wording mandating organizations take steps to ensure data isn’t hacked or stolen. The measure is still being written so the exact language and requirements may change, but this is coming and very soon.
What can a company do to meet existing compliance requirements as well as prepare for upcoming mandates for data backup and disaster recovery? Enterprises need to use backup and recovery appliances that meet the most stringent requirements of all these mandates. You should have a data backup and disaster recovery appliance that is able to meet HIPAA mandates right out of the box even if you are not in the healthcare industry. Unitrends Recovery Series of hardware and Unitrends Backup software appliances meet all these requirements, and potentially many more that may become law soon. Specifically Unitrends appliances meet these detailed HIPAA requirements:
- Backups: HIPAA mandates frequent data backups and restores of the most current files. With Unitrends just set the backup schedule as frequently as you choose and then receive emails that tell you if the backups were performed successfully.
- Recovery: HIPAA-covered organizations must be able to fully restore an exact copy of lost data. With Unitrends you can recover full application stacks on the backup appliance itself, on a related local server or in the Unitrends cloud.
- Recover Securely: All security mandates must remain in place during a recovery. This is a standard part of the Unitrends recovery process.
- Recoveries must be tested: Regular recovery testing is required, including documentation that demonstrates whether recoveries are within stated goals. Unitrends Recovery Assurance performs each of these requirements automatically with full documentation delivered via email to you, your boss and/or other stakeholders.
- Offsite Storage: Disasters such as a fire or flood will also destroy backups stored locally so backups must be replicated to a remote location. Replication to a remote location and/or Unitrends Cloud is included in all Unitrends appliances.
- Encryption – Data must be encrypted during storage and while being transferred over a network. Unitrends appliances use AES-256 Bit Encryption as a standard feature.
- Documented Backup and Recovery Plans: HIPAA covered entities are required to have written procedures of backup and recovery procedures. Unitrends BC/DR Web site gives you a free best-in-class template you can use to document your disaster recovery procedures.
You can never completely future proof yourself against change but by partnering with a backup and recovery vendor that understands and exceeds all current compliance mandates will give you a good head start.