Online Backup - Compliance Information

“A successful backup strategy requires the backup process to be automatic and file selection appropriate.

The backup archive must be securely maintained offsite.”

Backing up small business data used to be a maddening process, which is why so few businesses would do it. Not that many years ago, precious data on was archived on slow, creaky tape cartridges even though the lousy hardware, media, and software assured absolutely nothing.

When CD-ROM and then DVD-ROM devices came on the market, backing up became a little simpler but file selection was manual and wasteful, human intervention was always required and the backup archives rarely made it offsite.

Things are better now. The advent of affordable broadband connections led to affordable online backup services, making automated, offsite backups doable. HIPPA, GLB and Sarbanes-Oxley make secure, offsite backups the obvious choice for most businesses.

As the service provider we and our clients both need to make good use of our available bandwidth. In the past, backup software wasn’t particularly discriminating as to which files were being backed up. Because the software interfaces were so non-intuitive, many users would bite the bullet and back their entire hard drive to whatever media they had available.

The software we use includes a smart feature that knows to select only actual data while skipping over program, utility and operating system files. Once installed, the client-site software operates an incremental backup each night adding only changed files to the archive on our secure servers.

Because the software only backs up data and because only changed files are added to the archive, only a very small amount of bandwidth is consumed each evening which helps limit bandwidth usage and speeds up the backup session.

The server and client software complies with the final HIPPA rule and helps our customers meet GLB and Sarbanes-Oxley requirements. The entire data archive is heavily encrypted before it leaves the client’s premises, obviating security concerns. Even in the unlikely event that our data center’s security was breached, our cabinet was broken into and our backup servers were stolen, the encrypted backups would be of no use to the thief because client data archives are always encrypted during transmission and while stored on our servers.

“Address and evaluate your backup regimen in conjunction with compliance and disaster-recovery planning exercises.”

The amount of data used by today’s businesses has increased exponentially from just five years ago. Corporate scandal, international unrest, and glaring security flaws in computer operating systems and software applications have resulted in a much more intense and detailed analysis of data as it enters and leaves the enterprise. Fortune 500 companies have been vilified in the press for reckless data stewardship, and in some cases of outright fabrication of financial and performance reports. In extreme cases, executives are now lounging in Federal facilities, denying to the bitter end that they had any knowledge of the blatant misrepresentation for which they were held accountable. The private information stores of several prestigious organizations, some of them very sensitive and personal in nature, have been lost, misplaced, or accessed by hackers – the details of the events becoming fodder for an indignant news media.

Corporate America, already under varying degrees of competitive and performance pressure, is now faced with compliance legislation and disclosure requirements that seek to right some of the wrongs done to consumers, investors, and employees alike.

What follows is an analysis of three major pieces of process and data management compliance legislation, with a specific focus on the critical role that data availability plays in all of them. Access and process controls, internal and third party audits, reporting requirements and penalties for non-compliance are just a few of the areas that will be addressed on a per-measure basis.

HIPAA is a measure designed to ensure that workers could keep their health insurance when they changed jobs. By the time of its passage, it had become much more complex and far-ranging, affecting the vast majority of all health-care entities in the United States.

The Sarbanes-Oxley Act, commonly referred to as ‘SOX’, introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."

In 1996, a bill known as the Kennedy-Kassebaum Bill was passed by the U.S. Congress and signed into law by the President. The new law became known as the Health Insurance Portability and Accountability Act of 1996, or more commonly, HIPAA. It had started as a measure to ensure that workers could keep their health insurance when they changed jobs. By the time of its passage, it had become much more complex and far-ranging, affecting the vast majority of all health-care entities in the United States.

Because of the complexity and wide range of HIPAA, there has been and continues to be a great deal of confusion about how it applies to many areas, including backup.

Those who must comply with HIPAA fall into two categories. The first category is Covered Entities. Covered Entities include all health plans, health care clearinghouses, or health care providers who transmit health information in electronic form.

The second category is the Business Associates of those Covered Entities. A Business Associate is someone who performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.

Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information (PHI), and where any access to protected health information by such persons would be incidental, if at all.

· Title1 - Health Insurance Portability - helps workers maintain insurance coverage when they change jobs

· Title 2 - Administrative Simplification - standardizes electronic health care-related transactions, and the privacy and security of health information

Fortunately, four of the five parts of HIPAA have no bearing on backup strategies. The one part that does apply is Title 2 - Administrative Simplification.

HIPAA Administrative Simplification consists of two areas. The first is commonly referred to as the Transactions and Code Sets Rule, although it also covers standardization of identifiers. This Rule requires standardization in all health-related electronic transactions, such as electronic transmission of insurance claims, verification of insurance, statements, explanations of benefits, remittance advice, etc. It is scheduled to take effect in October 2003.

Backups are not generally regarded as health-related transactions, and are therefore not covered under the Transactions and Code Sets Rule.

The second area of Administrative Simplification is made up of two Rules, the Privacy Rule and the Security Rule. Because these two rules are where the most confusion arises, we will examine them in some detail.

Before the Privacy and Security Rules can be explained, we must understand what they are intended to protect. Both Rules are intended to safeguard any health-related information that can be traced to or used to identify an individual. Some examples of this type of information include name, address, Date of Birth, Social Security number, or any other identifier. This type of information is referred to as Protected Health Information, or PHI.

The Privacy Rule and Security Rule are intended to protect PHI in different ways. The Privacy Rule sets out limits on who can have access to PHI and for what purpose. The Security Rule regulates the Procedural, Physical and Technical means that are used to protect PHI.

The Privacy Rule places limits on the ways that PHI can be used and disclosed, and requires accounting of disclosures. But it is relevant at this point to review how backup services from Mecklenburg Technology Group work.

With an automated, offsite backup solution from Mecklenburg Technology Group, all information to be backed up is encrypted by the local client before being transmitted, using a key that is stored locally. Data is stored on the offsite server in its encrypted form. Data can only be recovered by transmitting it back to the local client, which decrypts it, again using the locally-stored key. The most important feature of this arrangement is that while the data is stored on the offsite server, it is encrypted and not in a readable format. The offsite server does not have access to the key, and without the key, the data cannot be converted to a readable format.

Backup services from Mecklenburg Technology Group do not involve the use or disclosure of PHI. All backed-up data is transmitted to and stored on our secure, offsite servers in an encrypted form. Access to PHI from a backup archive by Mecklenburg Technology Group is not possible.

The Security Rule is the one part of HIPAA that clearly applies to the type of services that backup services from Mecklenburg Technology Group offers. The Final Security Rule was published in February 2003, and became effective on April 21, 2003. Compliance with this Rule will be required by April 21, 2005.

The Security Rule legislates the means that should be used to protect PHI. It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to PHI.

· Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to PHI.

· Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning.

· Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.

Backup Services from Mecklenburg Technology Group are compliant with the Final Security Rule.

Mecklenburg Technology Group backup client software contains all appropriate technical security mechanisms to protect the data that is transmitted to and from the Mecklenburg Technology Group backup Server.

Backup services from Mecklenburg Technology Group can form a critical part of Data Backup, Disaster Recovery, and Emergency Mode Operations strategies by providing offsite backup that can be geographically distant from the client site to minimize the likelihood of data loss in a large-scale disaster. In the event of loss of the client’s office site, data on our backup server can quickly and easily be recovered from a replacement office site.

Covered entities will be required to comply with the HIPAA Administrative Simplification Security Rule by April 21, 2005. Backup services from Mecklenburg Technology Group, as part of a comprehensive security or disaster-recovery plan, can be an important part of compliance strategy.

The Financial Modernization Act of 1999, also known as the “Gramm-Leach-Bliley Act” or GLB, includes provisions to protect consumers’ personal financial information held by financial institutions. There are two principal parts to the privacy requirements as they relate to data management: the Financial Privacy Rule and the Safeguards Rule.

The GLB Act gives authority to eight federal agencies and the States to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of non-traditional financial products and services to consumers. Among these services are those in the business of lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, residential real estate settlement services, collecting consumer debts, providing health insurance and an array of other activities. Such non-traditional financial institutions are also regulated by the FTC.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information. The Financial Privacy rule requires covered institutions to spell out, in the form of a privacy notice, their information sharing practices. Most of us have seen these notices included with correspondence related to loan applications, account servicing, or credit card statements. Using a process detailed in the institutional privacy notices, consumers have the right to limit some – but not all – sharing of their information.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The rule applies not only to financial institutions that collect information from their own customers, but also to businesses – such as credit reporting agencies – that receive customer information from those institutions. It is within the Safeguards section of GLB that the parameters for data safety at these institutions are clarified, and it is here also that the deficiencies of ‘legacy’ data protection methods are exposed. The section addresses distinct areas of safeguards which must be implemented, including Administrative, Technical, and Physical.

As in HIPAA regulations, many of the Administrative safeguards are designed to verify that reasonable steps are being taken to secure the sensitive data stores maintained by covered institutions. While most of these steps should be (and in many cases are already) taking place at the institutions, the Safeguards Rule mandates that the administrative steps be encapsulated in a written information security plan. The plan is required to include an assessment of risks and an evaluation of existing safeguards, the establishment of a comprehensive safeguards plan, contracting with vendors to facilitate the plan when appropriate, and regular testing and evaluation of the plan and practices as the covered entity’s business scope or volume changes.

The Federal Trade Commission (FTC), which is a major oversight body for GLB, also indicates the need for employee education and training, information systems management, and managing system failures. These measures help to insure that data safeguards are robust and that all parties who come into contact with sensitive information are aware of company policies and the law.

The Information Systems component of GLB addresses the company’s technological interfaces with client data, and can include analyses of network and software design, information processing, storage, transmission, retrieval, and disposal. Here again, The FTC strongly suggests several procedural and technological steps ranging from basic security like locked file drawers and server rooms to backing up client data to a secure, encrypted and password-protected server.

Many of GLB’s provisions are designed to ensure that basic steps are taken to ensure client data is only available to those employees who need it in the course of their work, and that it is securely off-limits to others. The Financial Privacy provisions were put in place to insure that the data is properly maintained and protected. The provisions related to information systems and managing systems failures help to insure that the institution maintains access to the data in order to resume operations after data loss, and to be able to provide documentation that would normally have been lost when and if the need or requirement arises.

As Federal agencies are empowered to enforce GLB under existing codes such as the Federal Deposit Insurance Act, penalties for non-compliance are substantial. Fines levied at guilty institutions can be up to $100,000 per violation at the national level and can also expose the covered institutions, especially those in the insurance sector, to state-level sanctions in many cases. In addition, the officers and directors of these companies can be held personally liable for civil penalties up to $10,000. For companies or individuals that employ ‘pretexting’ (the use of fraudulent or deceptive tactics to obtain private financial information) the monetary penalties can go even higher, and violators can face prison terms of 5 to 10 years in addition to the fines.

The Sarbanes-Oxley Act, commonly referred to as ‘SOX’, was signed into law on July 30th 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".

The legislation came about after a round of highly-publicized corporate scandals rocked the corporate world in the opening years of the new millennium; the most notable of these included the Enron collapse and subsequent revelations of accounting irregularities at WorldCom.

At the risk of oversimplifying a landmark piece of legislation, and speaking strictly as it relates to information technology, data backup, management processes and disclosures, the act contains several key sections.

Sections 103 and 104 are closely related, and provide details about the length of term (7 years) that accounting and auditing entities must retain all documents and data relating to audit reports of companies required to comply with SOX. While the physical paperwork can be maintained in various ways, electronic backup of digital records is highly advisable considering that investigators usually demand all versions of documents in their analysis. With encrypted, secure offsite backup of these files, they are protected from prying eyes or malicious intent, and virtually any version of a file can be retrieved very quickly for comparison, and for building the paper trail that proves that control processes were properly followed.

Section 105 addresses the confidential nature of the accounting and audit files prepared for and received by an organization’s board of directors. Again, digital backup copies are the best bet for preserving these files because they can be encrypted and compressed prior to storage, and with the best offsite backup solutions, remain encrypted and compressed in storage until they are restored to the original source location. This makes it virtually impossible for the contents of these sensitive documents to become known to, or to be ‘restored’ by anyone other than authorized individuals – clearly a critical piece of the compliance puzzle with regards to accounting and auditing firms.

Section 302 of the eleven-section law is entitled Corporate Responsibility for Financial Reports and is important because it places the responsibility of attesting to the content, accuracy, and (perhaps most importantly) the authenticity of financial reports issued by that organization squarely on the shoulders of executive management and the board of directors at public companies.

Section 404 also involves the placement of additional responsibility on senior management and corporate officers, but has implications that extend deep into the rank-and-file of the company as well. Initially, Section 404 seems to simply require an addendum to the company’s annual report. This addendum, referred to as an internal control report, states that management is responsible for maintaining an “adequate internal control structure”, and is also to include an assessment by management of the control structure’s effectiveness.

The loss of data from any critical systems during the reporting processes can send the entire compliance scramble into a tailspin, and at the very least the corporate stewards will be required to log this deficiency in their periodic reports. In light of the contempt with which Congress has met previous corporate cover-up activity, the permanent loss of potentially revealing data in this manner could well be seen as a federal-level ‘dog ate my homework’ plea. Unfortunately, the media can act as a catalyst for speculation, spinning what might truly be an unfortunate event into a story that sends investors scrambling.

The bottom line? Compliance with Sarbanes Oxley depends heavily on reports created from sensitive data, without even the appearance of impropriety in its compilation. These reports must be generated from actual, factual data, with strict access and process safeguards all along the way and executive-authorized documentation to attest to the existence of and adherence to these safeguards. Remotely backing up the data that is crucial to the creation of these reports insures that localized hazards such as fire, theft, or opportunistic or vindictive employees are neutralized and that the mission-critical reports can be drawn from original data.

To be clear, there is no single software product or information technology service that can make an organization fully compliant with any of this legislation. The respective laws are complex and far-reaching, and were designed to enforce a level of integrity in operations and corporate philosophy that cannot be pulled from a box or jewel case. Automated, offsite backup services from Mecklenburg Technology Group, through its ability to maintain secure copies of critical, sensitive data in an offsite protected location, and to have them available for quick restore for required reporting or disclosure, address several of the criteria of compliance with all of them.

As enforcement of these laws increases, so does the need to have your data, and that of your clients, properly secured. Are you a member of the ‘circle of trust’ as referenced in GLB? Are you a HIPAA ‘covered entity’ or a business partner of one? Can you guarantee availability of critical reporting data for your SOX clients? It is time for businesses of all types to get serious about data security – and automated, offsite backup of data is a crucial and cost-effective component in compliance, business continuity, and disaster recovery planning.

Please note that, although all information presented is believed to be factually correct, this presentation is not intended to give legal advice. Please consult with your legal counsel if you have questions about your specific situation.