pogonici - Fotolia
Regulation in IT is nothing new. HIPAA and Sarbanes-Oxley Act, for example, have been around for decades. But newer regulations such as the GDPR and the California Consumer Privacy Act are far more sweeping in their coverage and in the obligations they place on those who manage data. As more jurisdictions join the trend of creating regulations around data, it is likely to get worse before it gets better.
Because IT regulations generally focus on how organizations ensure that systems managing personal data are up and running and that data is readily available, they are potentially a concern for business continuity and disaster recovery processes.
Traditional DR is often either having duplicate data centers with redundant failover or contracting with a third party for the redundant infrastructure. Now, under both the California Consumer Privacy Act and GDPR, any data subject access request or deletion request will require that those duplicate data stores also be scraped to ensure that the personally identifiable information is deleted there as well, said Ryan O'Leary, senior research analyst in the legal, risk and compliance program at IDC.
Modern DR complicates regulations
The other issue is that disaster recovery regulations are not limited to physical disasters, but malware and other cyberattacks as well, O'Leary said. "We will likely see an increased amount of investment in cyber insurance depending, of course, on the outcome of Mondelez v. Zurich," a high-profile test case involving cyber losses sustained by a leading American multinational confectionery, food and beverage holding company and their insurer.
O'Leary said that IDC studied the fines and cases associated with GDPR for the first year. By far, the reason for the largest number of fines was insufficient security measures, totaling at 319 million euros (approximately $344 million). That suggests that companies operating in the European Union must invest in security measures to protect themselves from not only cyberthreats, but the costs that disaster recovery regulations can bring. "A ransomware attack is bad, but it can get worse if you pile a multimillion euro fine on top of it," he said.
Christophe BertrandSenior analyst, ESG
ESG senior analyst Christophe Bertrand said the new breed of disaster recovery regulations have in common a basic notion that data is an extension of the individual rights of a person. "Your rights are the same as your data," he said.
While some might want to argue that point, the reality is this is the direction the law is taking. A specific facet of GDPR that is causing organizations big headaches is the "right to be forgotten," which means you can ask that your data will no longer be made available to others. But in most cases, Bertrand said, you "can't just get rid of the data, because most of the time some other regulations require you to keep it." An obvious example is a bank where you have a loan. You can't simply ask to be forgotten, because that would obviate the meaning of the transaction you undertook.
In practical terms, the right to be forgotten means that companies holding data must manage it with care and caution and only make it available to those with a valid need to access it, he said.
Data volume and format bring challenges
Another challenge in complying with modern disaster recovery regulations is that most organizations don't really know what data they have, where it is or how much of it there is. "Organizations are getting better at this, but they still have a long way to go," Bertrand said. That's the first part of the challenge. The second is that even if they manage to excise a record or put proper controls on it within the primary source or sources, the odds are good that it is also lurking somewhere in backup copies. And those, too, need to be appropriately protected.
"There has to be a mechanism for making sure that information is not visible, which is why there has been a lot of discussion about masking and anonymization and pseudo-anonymization with the California regulation," Bertrand said.
For structured data, all of this is relatively straightforward. For example, spotting and then protecting Social Security numbers is an easily defined task. With unstructured data such as emails and Word documents, "the market is in need of tools to really analyze, identify and classify data so it can be acted upon," Bertrand said.
The process is not going to be easy, warned Greg Schulz, founder and senior advisory analyst at StorageIO. For example, depending on where and how you protect data, there will likely need to be some level of administrative access, which could be a problem in terms of the strictest definition of compliance. "It may be that data will need to be stored in a format or container that can only be unlocked by a very specific mechanism or application, preferably without adding too much complexity," he said.
On the positive side, Schulz said it is probable that existing vendors will likely develop tools to help, but, in the meantime, they are likely "to dance around" the issue. "One option is to go under [nondisclosure agreement] with them and find out what their roadmap looks like to see how and when they propose to address this," he said. "Hopefully, you won't have to rip and replace to solve this challenge."
In the meantime, talk to your legal department about the potential effects of disaster recovery regulations on your organization. "Define what can and can't be done now and make sure they are aware of the potential exposure," Schulz said. Above all, don't just ignore it. "That's the worst thing you could do," he added.
Bertrand said although some software companies are beginning to offer tools, it will probably take years for bigger organizations with lots of data to really be able to be confident they have mastered the new privacy and compliance challenges.