Document Compliance

The IT industry has become even more complex in the past few years with the advent of regulatory compliance requirements that all publicly traded companies must adopt. Perhaps your organisation is already working through these requirements. If you are a consultant or non-publicly traded company, you may not be bound by these regulations—however your clients may be, so this information is critical for anyone in the IT industry.

Regulatory standards affect the broad areas of data privacy, security, retention, protection and accountability. Within these areas, checks and balances act to preserve the information and data. Investigative processes verify the integrity of privacy, security and data protection and audits are required for accountability.

The legal and business requirements protect a company from investigations or consequences but they also help safeguard consumer and patient information. Here’s a list of some of the common regulatory compliance laws. This is by no means a comprehensive or industry specific list but serves as an example of the amount of data regulations that are already in place:

Sarbanes-Oxley Act	Known as SOX, this Act requires company financial executives to be culpable for financial reporting. Independent auditors review financial controls and processes to ensure accurate financial reporting. Controls of records and processes are preserved to prevent fraudulent activities.
Healthcare Insurance Portability and Accountability Act (1996)	The Healthcare Insurance Portability and Accountability Act of 1996 require, among other things, the securing of patient information.
European Union Data Protection Directive	The European Union Data Protection Directive (EUDPD) standardises the protection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all member states must achieve through the implementation of national legislation
Payment Card Industry Data Security Standard	On June 30, 2005, the four major credit card associations in the United States (Visa, MasterCard, American Express, and Discover Network) adopted a consolidated data security standard (Payment Card Industry Data Security Standard; PCIDSS). Compliance is required of merchants accepting these cards.
Japan ’s Personal Information Protection Act (2003)	On May 23, 2003, the Japanese Diet passed the Personal Information Protection Act (2003). The Personal Information Protection Act applies to government or private entities that collect, handle, or use personal information of 5,000 or more individuals
Gramm-Leach-Bliley Act	The Gramm–Leach–Bliley Act (Financial Institution Privacy Protection Act of 2001), addresses the protection of nonpublic personal information, requiring that financial records are properly secured, safeguarded, and eventually disposed of in a manner that completely destroys the information.
Breach Notification Legislation	California ’s Senate Bill 1386 (SB1386) requires notification to California residents regarding any breach to the security of a computing system containing personal information.

Regulatory compliance issues can be really summed up by these simple items: “Keep it, Secure it, and Preserve it.” This can mean extra equipment and IT policies to maintain control over information that users may have previously horded on their machines.

One of the most important aspects to regulatory compliance is the 100% accessibility to the stored data. During data storage disasters, companies that require speed and quality turn to Ontrack Data Recovery for getting access back to regulatory data. In other situations, software that facilitates retrieving data, such as Ontrack® PowerControls™ for Microsoft® Exchange Server, is part of some IT department’s compliance process.

One of the least reported risks to electronic information is storage system failures. What happens when the server you have for compliance fails? How do you cope with a quarter-end financial audit when the business system database becomes corrupt? Who do you turn to when your company is in the middle of an SEC investigation and the electronic message server goes offline? These types of situations happen to corporations every day. To help minimise this risk, several risk mitigation policies that storage administrators can adopt are outlined below:

• Offline Storage System — Avoid forcing an array or drive back on-line. There is usually a valid reason for a controller card to disable a drive or array, forcing an array back online may expose the volume to file system corruption.
• Rebuilding a Failed Drive — When rebuilding a single failed drive, it is important to allow the controller card to finish the process. If a second drive should fail or go off-line during this process, stop and get professional data recovery services involved. During a rebuild, replacing a second failed drive will change the data on the other drives.
• During an Outage — If the problem escalates up to the OEM technical support, always ask “Is the data integrity at risk?” or, “Will this damage my data in any way?” If the technician says that there may be a risk to the data, then stop and get professional data recovery services involved.
• Doing the Recovery Yourself — Some IT departments may have staff that have worked with automated data recovery or hard disk storage utilities. Depending on the cause of the data loss these tools could actually limit recovery efforts because the drive is experiencing intermediate failures. Some utilities on the internet are ‘free’ and promise to fix dead hard drives. Verify the source of the software and make sure that it comes from a reputable company that has a standardised development and quality assurance (Q/A) process. Untested software can yield unpredictable results.

When user desktop or laptop computer storage systems fail, do not assume that that their files are backed up, or synchronized, on the file server. At the same time, never assume that the data is completely gone.

Ontrack Data Recovery ( www.ontrackdatarecovery.co.uk) is the largest, most experienced and technologically advanced provider of data recovery products and services worldwide. Ontrack is able to recover lost or corrupted data from virtually all operating systems and types of storage devices through its do-it-yourself, remote and in-lab capabilities, using its hundreds of proprietary tools and techniques.