|Sign-Up for Free Exclusive Services:||Portals|||||eNewsletters|||||Web Seminars|||||dataWarehouse.com|||||DM Review Magazine|
|Covering Business Intelligence, Integration & Analytics||Advanced Search|
Not so long ago, the processes and products surrounding data management at most companies were fairly straightforward: Capture and compile data, share it across departments, generate reporting and metrics as needed and don't lose it. Period. Due to yesteryear's relatively manageable amounts of data, the challenges lay primarily in maintaining the workstations and applications that generated and utilized the respective data stores, not so much in guaranteeing availability or even necessarily the accuracy of the data. Those responsibilities were owned by the creators of the data and the vendors and sources they tapped for it.
In recent years, much has changed. The amount of data used by today's businesses has increased exponentially from just five years ago. Corporate scandal, horrific terrorist attacks and glaring security flaws in computer operating systems and software applications have resulted in a much more intense and detailed analysis of data as it enters and leaves the enterprise. Fortune 500 companies have been vilified in the press for reckless data stewardship and, in some cases, for outright fabrication of financial and performance reports. In extreme cases, executives are now lounging in federal facilities, denying to the bitter end that they had any knowledge of the blatant misrepresentation for which they were held accountable. The private information stores of several prestigious organizations, some of them very sensitive and personal in nature, have been lost, misplaced, and accessed by miscreants - the sordid details of the events becoming fodder for an indignant news media. Corporate america, already under varying degrees of competitive and performance pressure, is now faced with compliance legislation and disclosure requirements that seek to right some of the wrongs done to consumers, investors and employees alike.
What follows is an analysis of three major pieces of process and data management compliance legislation, with a specific focus on the critical role that data availability plays in all of them. Access and process controls, internal and third party audits, reporting requirements and penalties for noncompliance are just a few of the areas that will be addressed on a per-measure basis.
Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans and employers. It also addresses the security and privacy of health data.
The Act was passed in August of 1996, with the original document calling for the Department of Health and Human Services to adopt standards for certain types of healthcare transactions, such as claims processing and billing, within 18 months of the that date. Health plans were expected to adopt these same standards as practice within 24 months of their adoption by HHS, effectively opening a three-and-a-half-year window for analysis and adoption. Today, nearly a decade after the enactment of HIPAA into law, full uptake and adoption projections extend out until 2008, with future extensions of various types highly probable.
In February of 2003, the Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register. Among many other items, the standards called for appropriate measures to back up and store healthcare-related computer data files. Above the protestations of some members of Congress, the document specifically addressed the need for covered healthcare entities to back up their critical data stores, citing that the methodology and requirements would differ from one to another. In fact, the final security rule contains language making the implementation of a data backup plan a required portion of compliance with the rule, positioning backup as part of a "required contingency plan" which also calls for a formal disaster recovery plan and an emergency mode operation plan. Further, the committee also listed data backup as "addressable" (read: highly suggested) in the Physical Safeguards section of the rule.1
It is clear that the intent of HIPAA, particularly the Administrative Safeguards section of the Final Security Rule, is to help insure that a covered entity's sensitive data stores are protected both technically and operationally from unauthorized access and usage, and to insure that they can be recouped in the event of the loss or destruction of host hardware or infrastructure.
The majority of HIPAA compliance activity manifests as sensible business practices - things like locked server room or datacenter doors, passwordprotected databases, access and process control documentation, and formal plans for disaster recovery and business continuity.
It is important to note that many of the key measures extend not only to large health insurance companies, but to their business associates and participating physicians, as well. Like it or not, HIPAA has helped to create healthier and more secure physician business processes. In the past, physicians were content and within guidelines to backup to tape drives located within their offices. The new HIPAA security standards, which officially took effect April of 2005, mandate that the physician be able to access the data in case of an emergency so that operations can continue. Ideally, physicians and other business associates should back up their data to an offsite and secure facility, so that perils to the physical office and hardware would not substantially affect their ability to quickly resume business with an accurate and secure data set. In a recent article in a prominent international medical journal, a leading provider of financial and technical services to smaller physician offices listed the lack of a data backup plan as one of three key areas of noncompliance by these entities.2
What are the costs of noncompliance? Let's disregard for a moment the clear and serious business implications for any entity that is publicly accused or exposed as having mishandled sensitive patient data. Instead, we'll concentrate on the stated fines and imprisonment sanctions that are spelled out for us within the Act itself. Per section 1177, fines for any entity that knowingly uses, obtains, or discloses personally identifiable health information to another person range from $50,000 to $250,000 per case, depending on the nature and circumstances surrounding the offense. Violators can also face jail time ranging from one to ten years in addition to the fines.3
The message is clear. The sensitive and personal nature of the information required to do business in the healthcare sector also requires extraordinary measures to prevent it from being leaked or unintentionally shared with others during day-to-day operations. As of April 2005, more than 175 cases of alleged privacy violations had been referred to the Department of Justice (DOJ) for potential criminal prosecution.4 While that number represents a small fraction of the nearly 11,000 complaints made during that same time period , recent scuttlebutt in medical association journals indicates that investigative activity is on the rise and that regulators and investigators from DOJ and the Office of Civil Rights will undoubtedly be less inclined to show leniency as time goes by.
The Financial Modernization Act of 1999: Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB, includes provisions to protect consumers' personal financial information held by financial institutions. There are two principal parts to the privacy requirements as they relate to data management: the Financial Privacy Rule and the Safeguards Rule.The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These regulations apply to "financial institutions," which include not only banks, securities firms and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional financial institutions are regulated by the FTC.5
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, which receive such information. The Financial Privacy Rule requires covered institutions to spell out, in the form of a privacy notice, their information-sharing practices. Most of us have seen these notices included with correspondence related to loan applications, account servicing, or credit card statements. Using a process detailed in the institutional privacy notices, consumers have the right to limit some - but not all - sharing of their information.
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The rule applies not only to financial institutions that collect information from their own customers, but also to businesses - such as credit-reporting agencies - that receive customer information from those institutions. It is within the Safeguards section of GLB that the parameters for data safety at these institutions are clarified, and it is here also that the deficiencies of legacy data protection methods are exposed. The section addresses distinct areas of safeguards which must be implemented, including Administrative, Technical and Physical.
As in HIPAA regulations, many of the Administrative safeguards are designed to verify that reasonable steps are being taken to secure the sensitive data stores maintained by covered institutions. While most of these steps should be (and in many cases are already) taking place at the institutions, the Safeguards Rule mandates that the administrative steps be encapsulated in a written information security plan. The plan is required to include an assessment of risks and an evaluation of existing safeguards, the establishment of a comprehensive safeguards plan, contracting with vendors to facilitate the plan when appropriate and regular testing and evaluation of the plan and practices as the covered entity's business scope or volume changes.
The FTC, which is a major oversight body for GLB, also indicates the need for employee education and training, information systems management and managing system failures. These measures help to insure that data safeguards are robust and that all parties who come into contact with sensitive information are aware of company policies and the law.
The information systems component of GLB addresses the company's technological interfaces with client data and can include analyses of network and software design, information processing, storage, transmission, retrieval and disposal. Here again, the FTC strongly suggests several procedural and technological steps, ranging from basic security like locked file drawers and server rooms to backing up client data to a secure, encrypted and password-protected server.
Many of GLB's provisions are designed to ensure that basic steps are taken to ensure that client data is only available to those employees that need it and that it is securely off-limits to others. The Financial Privacy provisions were put in place to insure that the data is properly maintained and protected. The provisions related to information systems and managing systems failures help to insure that the institution maintains access to the data in order to resume operations after data loss and to be able to provide documentation that would normally have been lost when and if the need or requirement arises.
As federal agencies are empowered to enforce GLB under existing codes such as the Federal Deposit Insurance Act, penalties for noncompliance are substantial. Fines levied at guilty institutions can be up to $100,000 per violation at the national level and can also expose the covered institutions to state-level sanctions in several cases. In addition, the officers and directors of these companies can be held personally liable for civil penalties up to $10,000. For companies or individuals that employ "pretexting," the use of fraudulent or deceptive tactics to obtain private financial information, the monetary penalties can go even higher, and violators can face prison terms of 5 to 10 years in addition to the fines.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act, commonly referred to as SOX, was signed into law on July 30, 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."6
The legislation came about after a scourge of highly publicized corporate scandals rocked the corporate world early in the new millennium; most notable of these are the Enron collapse and subsequent revelations of accounting shenanigans at WorldCom.
At the risk of oversimplifying a landmark piece of legislation and speaking strictly as it relates to information technology, data backup, and management processes and disclosures, the act contains several key sections.
Sections 103 and 104 are closely related, and provide details about the length of term (seven years) that accounting entities must retain all documents and data relating to audit reports of companies required to comply with SOX. While the physical paperwork can be maintained in various ways, electronic backup of digital records is highly advisable considering that investigators usually demand all versions of documents in their analysis. With offsite backup of these files, they are digitally protected from prying eyes or malicious intent, and virtually any version of a file can be retrieved very quickly for comparison and for building the paper trail that proves that control processes were properly followed.
Section 105 addresses the confidential nature of all files prepared or received by an organization's board of directors. Again, digital backup copies are the best bet for preserving these files because they are encrypted and compressed prior to storage, and with the best remote backup solutions they remain encrypted and compressed in storage until restored to the original client machine. This makes it virtually impossible for the contents of these sensitive documents to become known or to be restored by anyone except for the client, including the provider of the backup service.
Section 302 of the 11-section law is entitled Corporate Responsibility for Financial Reports and is important because it places the responsibility of attesting to the content, accuracy and (perhaps most importantly) the authenticity of financial reports issued by that organization squarely on the shoulders of executive management and the board of directors at public companies.
Section 404 also involves the placement of additional responsibility on senior management and corporate officers, but has implications that extend deep into the rank-and-file of the company, as well. Initially, Section 404 seems to simply require an addendum to the company's annual report. This addendum, referred to as an internal control report, states that management is responsible for maintaining an "adequate internal control structure," and is also to include an assessment by management of the control structure's effectiveness.7
The loss of data from any critical systems during the reporting processes can send the entire compliance scramble into a tailspin, and at the very least the corporate stewards will be required to log this deficiency in their periodic reports. In light of the document shredding that was met with such contempt in Congress, the permanent loss of potentially revealing data in this manner could well be seen as a federal-level "dog ate my homework" plea. Unfortunately, the media can act as a catalyst for speculation, spinning what might be a truly misfortunate event into a story that sends investors scrambling.
The bottom line? Compliance with Sarbanes-Oxley depends heavily on reports created from sensitive data without even the appearance of impropriety in its compilation. These reports must be generated from actual, factual data, with strict access and process safeguards all along the way and executive-authorized documentation to attest to the existence of and adherence to these safeguards. Remotely backing up the data that is crucial to the creation of these reports insures that localized hazards such as fire, theft or opportunistic or vindictive employees are neutralized and that the mission-critical reports can be drawn from original data.
Data Backup Software and Services: Access-Controlled Data Insurance
To be clear, there is no single software product or IT service that can make an organization fully compliant with any of the legislation discussed herein. The respective laws are complex and far-reaching, and were designed to enforce a level of integrity in operations and corporate philosophy that cannot be pulled from a box or jewel case. Remote Backup Software, through its ability to maintain secure copies of critical, sensitive data in a protected location, and to have them available for quick restore for required reporting or disclosure, addresses several of the criteria in compliance with all of them.
As enforcement of these laws increases, so does the need to have your data and that of your clients properly secured. Are you a member of the circle of trust as referenced in GLB? Are you a HIPAA-covered entity or a business partner of one? Can you guarantee availability of critical reporting data for your SOX clients? It is time for IT service companies and businesses of all types to get serious about data security - and remote backup of data is a crucial and cost-effective component in compliance, business continuity and disaster recovery planning.
Special thanks to Chris Apgar, Apgar and Associates for providing professional assistance and consultation.
1. Federal Register. Health Insurance Reform - Security Standards. February 2003.
2. International Journal of Micrographics and Optical Technology. Physicians Lack Data Backup Plans and Access Controls. January 2005.
3. University of Miami Ethics Program. Violation Penalties (HIPAA). May 2005.
4. California Medical Association. HHS Publishes HIPAA Enforcement Plan. April 2005.
5. Federal Trade Commission. Financial Privacy: The Gramm-Leach Bliley Act. www.ftc.gov.
6. Posting on the Sarbanes-Oxley Act Forum. www. sarbanes-oxley-forum.com .
7. American Institute of Certified Public Accountants. Summary of Sarbanes-Oxley Act of 2002 (Interpretation). www.aicpa.org.
For more information on related topics visit the following related portals...
Compliance and Storage.
Tommy Gardner is director of Sales and Marketing for Remote Backup Systems, Inc., based in Collierville, Tennessee. With a background in compliance, workflow and data management process analysis, Gardner has been involved in software design and sales for many years and is a leading proponent of owner-managed IT services organizations. For more information, please visit http://remote-backup.com or contact him directly at email@example.com.