Offsite Data Storage – in depth examination of issues
We are rapidly approaching my favourite holiday, Canada Day! For many years my family and I have spent the day @ Spencer Smith Park in Burlington enjoying the sights and sounds (and strawberry shortcake at the JoBrant Museum, yum!) and reflecting on our good fortune to have a country like ours to live and grow in. However, there is a serious side to this discussion as well, we need to take steps to protect our sovereignty in many ways. Whether it is being conscious of the laws and traditions that make our nation unique right now to making sure we know where our personal and business data is stored.
That is the first issue about offsite data storage to discuss today, data sovereignty. All of us know that, when travelling outside our country, we are subject to the laws in the country we are visiting. Now, these countries may make exceptions for tourists that bring in that much desired foreign currency, but, bottom line is that if we go too far, they will enforce their laws whether we agree with them or not. And, this is their right as a sovereign nation to do so.
Well as it is with people travelling, so it is with your data. In Canada we know that there is due process before our law enforcement can seize data/ records/ equipment/ property. If your company was being investigated there would be a public, open process and you would have a chance to defend yourself before any search and seizure was executed. And, even if property / records / etc are seized, there is a public, open process where you can defend, appeal etc any action. Now, if your data is in another country, does that apply? The answer is maybe, it depends on the country. For example, there are many countries where on suspicion (not on evidence, no due process) property/ records/ etc can be seized and then to get your property/ records/ etc back, you need to litigate in that foreign country.
There are two levels of exposure here direct search and seizure and indirect search and seizure. Basically, you may have your data and/or equipment seized due to;
-them targeting you
-them targeting the facility and you get caught in the sweep
Both of these scenarios have played out with Canadian Data being stored in the US. The most famous was from 2010 when an online file sharing service that also hosted websites was raided and ALL the servers (hundreds of them) were seized without prior notice. As of this date, some of the servers have still not been returned. Just Google search on ‘FBI Seizes Servers’ and there are pages of them, on the flipside, search ‘RCMP Seizes Servers’ and there are none. That is because in Canada there is a much higher standard of proof required before search and seizure is authorized. Now, we are in no way saying that the US’s laws are lax, they are just different (just like other countries) and we all need to be aware of the risks.
While we are on the topic of offsite data storage, we need to also understand about WHO is caring for your data. One story I tell is asking the owner of a fairly large company how they picked their offsite data storage provider…. he told me they did a web search and chose the cheapest one. So, I asked him about how his $500.00 in petty cash was managed (bear with me, this is relevant). I asked if there was a small bucket of money that anyone could help themselves to or? He quickly replied with an emphatic NO! You need prior authorization from a senior manager, a receipt, the receipt has to be checked, someone with a key has to get the money, there is a form that the employee has to sign, etc. Well, I said, that is certainly a comprehensive policy to safeguard $500.00. So, I continued and asked how much his corporate data was worth? When he paused I asked if it was worth more or less than $500.00? Do you see where we are going with this?
When he replied with, ‘certainly it is worth more than $500.00’. I then said, so, then why did you take so little care with choosing the offsite data provider? You are trusting them with your whole business, contacts, customer lists, business intelligence, memos, EVERYTHING about your business. So, don’t you think it could deserve some due diligence in selection? Some questions to ask may include, is the data stored in Canada (see above), is the data protected by a backup generator and UPS’s, what is the backup availability guaranty nine 9’s, five 9’s, two 9’s? Is the backup equipment at the vendors site physically secure? Is the backup equipment at the backup vendors’ site free of liens (you don’t want the backup vendor defaulting on a lease payment and the leasing company repossessing the server that YOUR data is on), etc. Basically, does the backup vendor care about your data and your access to your data as much as you do? If they can’t or won’t answer these (and more) questions, maybe you should be looking elsewhere.
Now, it is all well and good to have backups but what about testing that the backups are working properly? Before you get too relaxed that you have offsite backups and that you are covered in case of disaster, a periodic test of backup performance should be part of the regular IT responsibilities. It could be as simple as asking the backup vendor to recover half a dozen random files every six months and email them to you so you can compare them to current files on your server and test you can open them etc. Or, it could be as complex as restoring the entire server to a test machine to verify the total recovery. This varies based on level of comfort that you need but it needs to be done at some level just to be sure.
The last part of the contact you should pay close attention to is the separation agreement. Yes, I understand that we all want and expect the relationship to be forever, however, needs and ‘fit’ sometimes change and there may come a day when you and the backup vendor may part ways. What happens to your data (and all copies, the backup vendor should also backup the backup server so there may be multiple copies of your data on their site) when the relationship ends? Is it just ‘deleted’ and the space re-sold to another company, in which case a curious / malicious company or person could recover your data? Is each copy systematically searched out and securely deleted (think crosscut shredding of critical paper documents)? This is a simple, but important item to check on BEFORE entering into the arrangement.
We do not bring up this to spread fear, uncertainty and doubt (FUD) about offsite backups, on the contrary we are big fans of offsite backups as a sound part of a disaster recovery plan for business. Quite simply, we are technology experts and, as such, we make it our business to keep our clients informed of all the issues inherent in any type of technology adoption. The success of any project is directly related to how well informed you are and as such, dispelling FUD is what we see as one of our major roles in assisting our clients.
One last item to mention quickly before we let you go, we have introduced a highly-reliable Fax to email gateway.
Are you frustrated with the paper waste of junk faxes? Are you annoyed that that important fax is in a filing cabinet and not available to you when you are out of the office? Well, have we got a system for you! HardSoft Systems Ltd has developed a low cost, high reliability fax to email gateway product that can fill these and other needs. It takes all incoming faxes, converts them to PDFs and emails them to an email address of your choice. Then, you can preview them, delete the junk faxes with no paper waste and file and/or forward the valuable ones in your email (or server, or in the Cloud or…) where you can access them anytime anywhere.
Call us @ 1-800-263-8433 FREE or email us to see how we can help you navigate out of the paper jungle.