2012 Outlook: Compliance and Your Data Backup Services

Your data backup plan may be compliant today, but is it ready to address possible changes in federal or state laws in the coming year?

Do you consider yourself a compliance policy expert? It’s great to stay informed. But when lawyers or auditors come to call, what matters most is how you’ve translated all that research of up-to-the-minute compliance best practices for your data backup and recovery program.

The good news for 2012: Even though the nation’s continuing economic troubles have legislators promising the moon in terms of reforms, what’s actually in store are additions and refinements to some of the blockbuster regulations of the past decade or so.

For example, the presidential candidates and their colleagues in Congress have engaged in considerable conversation about the Sarbanes-Oxley Act (SOX) and its relevance. (And no matter who wins in 2012, changes to SOX appear to be on the horizon.) What’s more, there’s talk of reinstating the Glass-Steagall Act, enacted in 1933 to create strict separation of the banking and investment industries. More refinements are possible for the increasingly pervasive Health Insurance Portability and Accountability Act (HIPAA).

With these and many other possible changes afoot, your company must ensure that all relevant information remains compliant and accessible, even when it’s been retired from active duty and sent to long-term storage. As you review your archiving strategy, ask yourself:

  • Does our firm’s archived data comply with upcoming changes to privacy, disclosure and data-breach laws?
  • If the company had to fulfill an audit or legal discovery request, could we demonstrate an ironclad chain of custody throughout the entire process, as well as in our offsite facility?

As you consider those questions, also keep in mind these regulatory laws, subject to change. They may impact your archived data.

1. The Sarbanes-Oxley Act (SOX). Born in 2002 in reaction to turn-of-the-century corporate misconduct, SOX aims to ensure corporate accountability. But compliance with the outside audit requirements of the act’s Section 404 can cost an organization millions of dollars, as it calls for the storing of potentially voluminous supporting documentation for lengthy time periods. Citing this corporate burden, some presidential candidates have proposed amending SOX or repealing it entirely.

The good news (for some): The House Financial Services Committee no longer holds companies with a market capitalization of less than $350 million to Section 404(b) compliance. However, any additional SOX revisions could have an impact on your long-term archiving plans­. Stay tuned.

2. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. On the heels of the recession, Congress instituted regulatory reforms for the financial services industry. Though it was diluted before it reached the desk of President Obama, the bill signed into law charged the SEC to review SOX and recommend ways to reduce the regulatory burden of complying with Section 404(b) for companies whose market capitalization is between $75 and $250 million.

3. The Health Insurance Portability and Accountability Act (HIPAA). Version 5010 aims to standardize information presentation across all records formats. Also of great import to records managers, 5010 supports OCD-10, a vastly expanded set of medical codes that healthcare organizations use to designate medical procedures and diagnoses. The expanded system will help organizations better collect data and do more detailed reporting.

Key to HIPAA’s influence in the coming years is its incorporation of the Centers for Medicaid & Medicare (CMS) Meaningful Use Requirements. Issued in 2010, these efficiency-focused technology mandates call for, among other changes, healthcare firms’ adoption of electronic medical records (EMR) systems.

The good news: Compliant firms will receive incentives to the tune of $19 billion through 2015, according to the American Medical Association.

4. The Red Flags Rule. The Federal Trade Commission’s newly implemented Red Flags Rule requires targeted companies to create a written identity theft prevention program that includes reasonable policies and procedures for “detecting, preventing and mitigating identity theft.” The upshot: you must ensure information is protected from data breaches not only while it’s within your four walls but also during backup and while in storage. If you don’t, you may have to pay the piper in the form of penalties and fines.

How Can You Track It All?

Ensuring that the records residing outside your walls remain compliant in the face of changing regulations is easier when you team with a trusted partner. It’s an alliance that will help you keep archived data compliant while offering you valuable peace of mind. Look for a partner that:

  • Adheres to strict security policies. Compliance excellence calls for a partner that makes security a priority, from vetting couriers to handling tapes and data going into your archives. You’ll want to know, for example, whether your potential partner offers onsite scanning of pulled tapes.
  • Demonstrates expertise and reliability. Choose a partner with a proven track record of keeping up with changes in federal and state laws.
  • Goes the distance. The optimal service provider will be ready, willing and able to help you define archiving standards. This includes establishing controls around rotation schedules and retention dates, among other functions.

Social Media: No Longer Under the Radar

It’s easy to consider blog posts, Tweets and status updates as something less than important, regulated communication. However, any format that hosts your organization’s important data deserves the utmost in records management attention and is subject to compliance stipulations.

One very surprised financial services firm found this out in 2003 when the Securities and Exchange Commission confiscated its email (at the time not considered to be a regulatory target) as part of an investigation, using the SEC’s Rule 17a-4. Drafted before the emergence of email as a principal communications conduit, Rule 17a-4 became the government’s legal means of obtaining a firm’s email correspondence. It calls for:

  • Written and enforceable retention policies
  • A searchable index of all stored data
  • Viewable and readily retrievable data
  • Offsite data storage

The takeaway: Rule 17a-4 is an important regulation to remember as you plan any refinements to your data backup strategy in the coming year.

As organizations continue to communicate—and encourage their customers to interact—via email, Facebook, Twitter and other social media applications, expect to see more regulations addressing the retention and/or destruction of data in these “records.”


Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.

Related Content:

Mobility and Secure Data Backup Operations: Mutually Exclusive?

Having a Heat Wave? Changes in Climate Really Do Impact Tape Backup Technologies

How to Select a Standout Data Backup Partner