Public corporations are also obligated to protect vital records, under multiple laws and statutes. In the United States, the Sarbanes‐Oxley Act of 2002 (SOX) sets regula- tory requirements for the disclosure of fi nancial records and statements, accounting practices, and related communications in an attempt to root out fraud. SOX does not specify “ how a [public or corporate] business should store its records; rather, it defi nes which records are to be stored and for how long ” (italics added). ¹¹

The SOX legislation not only impacts fi nancial reporting, it also impacts the re- cords management, compliance, legal, and IT departments—those charged with main- taining the corporation’s electronic records. It also affects those who audit public cor- porations. The Sarbanes‐Oxley Act states that all business records, including e‐records, e‐mail and other electronic messages, must be saved for “not less than fi ve years.”

The consequences for noncompliance are serious and can include monetary fi nes, imprisonment of executives, or both. Since SOX was implemented, executives of pub- lic corporations have increasingly taken an active role in dictating IG and records management policies, and the records management and compliance functions have gained elevated visibility and importance. Cost‐effectively achieving transparency and compliance in records management functions has been a great challenge over the past decade, and it requires new policies, new technologies, and new governance, risk man- agement, and compliance (GRC) tools.

Private corporations are subject to much less scrutiny, so much so that some pub- lic enterprises have made the move to turn private. But private corporations are also regulated under the Foreign Corrupt Practices Act (FCPA) of 1977 (amended 1988, 1998), which affects private corporations, limited liability corporations (LLCs), and partnerships. The FCPA was originally intended to prevent the destruction of business records to hide bribery or other crimes. Substantial penalties are imposed for failure to keep proper fi nancial records.

Additional recordkeeping regulations affect specifi c vertical industries. HIPAA (Healthcare Insurance Portability and Accountability Act) requires application data backup and business continuity plans for electronic data and records kept by health care providers. 45 CFR 164.30 requires healthcare organizations to “protect against any reasonably anticipated threats or hazards to the security and integrity of such in- formation,” and business continuity plans are required “to create and maintain retriev- able exact copies of electronic protected health information.”

The Federal Deposit Insurance Corporation (FDIC) requires banks to have busi- ness continuity/disaster recovery plans in place for computing facilities. These plans are reviewed by the Federal Financial Institutions Examination Council (FFIEC).

There are a range of levels of investment that an organization may make in safe- guarding its vital records and e‐records, from inexpensively storing paper records

       under soX, all business records must be saved for at least fi ve years.  

 

 E‐records are easier to protect than paper or other physical records.  

in sturdy cardboard boxes, to portable fi le cabinets that can be rolled out of an area should the need arise, to fi reproof vaults and even costly fi re‐proofed rooms. The medium and format of the records along with the level and speed of access needed will dictate which choices of protection are suitable. Other factors include budgetary constraints, operating environment, and whether or not a copy exists safely off‐site.

The most expensive options should be selected for vital records that cannot be recreated or have lasting historical value. Choose the highest security alternatives only when absolutely required, such as for classifi ed government operations.

Protective and preventative measures must be undertaken to safeguard your or- ganization’s vital e‐records. These safeguards must fi rst provide for physical security, using means like control for physical access (e.g., smartcards for fi le room access, a fi reproof safe) and for online access (passwords, access and authentication security measures) and records preservation over the long term.

In general, electronic records are easier to protect from disaster than physical (paper) records, due to their portability and ease of copying for backups . Copying a vital e‐record may be as easy as using a few keystrokes to burn it to CD or DVD, or even a fl ash drive, all of which are fast and inexpensive. Protecting those e‐records from unauthorized copying or use is more diffi cult than if they were paper records locked in a storage safe . But it can be accomplished with technologies like encryption and information rights man- agement (IRM), which has the ability to secure an electronic document throughout its lifecycle.

How do you fl ag records as vital and therefore note their importance, and invoke a set of IG policies that apply to them? It can be as simple as including the word “vital”

in the document or folder title, as this will make them easier to search and retrieve—

and also it means that their handling must be dictated by IG policies and guidelines that are specifi c to vital records.

Vital records should not be stored on individual PCs, laptops, or tablets, but rather, on networked servers that make regular backups, and are managed by formal procedures. ¹²   Instant Continuous Backup

Organizations may protect themselves by employing software and methods to back up their data and vital records in real time, instantly, on a continuous basis. This can be as basic as disk mirroring (replicating data to two or more disks at once) or using RAID (redundant array of independent disks), which writes all data across an array of disks, with built‐in back‐up and recovery capabilities. Or, it can be as complex as back- ing up the data in two or more remote sites over a secure connection such as a virtual private network (VPN), instantaneously. Organizations such as banks and hospitals and critical military units that cannot allow downtime may use this approach to ensure continuity of operations.

      Vital records should be stored in a managed environment on networked serv- ers or central mainframe computers that are backed‐up up regularly—not on  individual Pcs, laptops, or tablets.  

Off‐site Continuity Options

An organization may make arrangements to switch its computing operations over to an alternate, backup site for complete redundancy and for backup operations in the event of a business disruption. This may be accomplished through a remote unit of the same organization, a sister organization, or a third‐party data center. There are three basic types of backup sites: hot sites, warm sites, and cold sites.

A hot site is one that has identical or nearly identical hardware and operating system confi gurations, and copies of application software, and receives live, real‐time backup data from business operations. In the event of a business interruption, the IT and electronic vi- tal records operations can be switched over automatically, providing uninterrupted service.

This is the most expensive option. It may be offered by corporate data centers, service bureaus, hardware manufacturers, and specialized disaster recovery service organizations.

A warm site may have all (or mostly all) identical hardware and operating systems, such as a hot site does, and software licenses for the same applications, and needs only to have data loaded to resume normal operations. Internal IT staff may have to re- trieve magnetic tapes, optical disks, or other storage media containing the most recent backup data, and some data may be lost if the backup is not real‐time and continuous.

A cold site is simply an empty computer facility or data center that is ready with air‐conditioning, raised fl oors, telecommunication lines, and electric power. Backup hardware and software will have to be purchased and shipped in quickly to resume operations. Arrangements can be made with suppliers for rapid delivery in the event of a disaster. A cold site is the least expensive option , but will take the longest for the organization to get running again. The site may be shared among multiple business units, or even organizations, to spread the cost.