As a general rule, one of the easiest ways to make sure data isn't stolen is to not have it. Unfortunately, as mentioned in this paper from GFI Software there are often legal requirements that prevent a company from purging its data. As the paper mentions, there are a variety of securities regulations that require companies to keep records. While true, that's only part of the story. For example, electronic discovery rules can prohibit a company from purging its records. What's (potentially) worse, even if a company doesn't purge it's records, it can still be sanctioned under the electronic discovery rules if it's records aren't in a reasonably accessible form.
The moral of the story? You need to know not just how to protect data, but what data to keep, and how to keep it in a form where you can get it back.
Tuesday, August 19, 2008
Subscribe to:
Post Comments (Atom)
3 comments:
William,
I spent a number of years as an engineer in the motion picture industry. In the last few years of my career digital storage of content was a major issue that was solved by automatic daily back-up to various media such as DLT. The tapes were stored off line. "On line" intranet drives were used for new media and the back ups were recalled on an as needed basis. Does this sort of thing qualify in the situations you just mentioned?
John
John,
Your daily backups of motion pictures probably wouldn't be covered by the securities regulations mentioned in the GFI paper. However, they could very easily come within the scope of the electronic discovery rules. In that case, you wouldn't need to just worry about whether you'd stored the tapes, but whether you could find the relevant tapes when you needed them, and whether you could read the data from the tapes once you found it.
William,
Thanks but what I was trying to ask is that would that sort of technology (DLT etc), and daily backup procedure be applicable to sensitive data storage.
The motion picture business has its own unique theft issues, and IP and anti-piracy laws apply to those.
I was only referring to the use of these methods to take PII off line and still have it available as required by law.
John
Post a Comment