Verifying Compliance with Data Backup Retention Requirements

How long should you retain backup data? The answer is not as simple as some would think. It can be kind-of like asking how long to retain your old bank statements. In a lot of situations, there is no rule that says you must keep any backup data or historical records. Maintaining records is often a way of reducing risk. For a simple example; if you are accused of not paying a bill, your records can provide the exact date and amount of payments. However, there are many other situations where the maintenance of records is required by various local, state, and Federal laws. The Sarbanes-Oxley Act of 2002 specifies mandatory practices for public corporations which include certain requirements for retention of records. The
Health Insurance Portability and Accounting Act of 1996 requires that most data and records about patience be maintained with strict privacy. Your business should have it's own records retention policies that are designed to protect you, your business, and your company from lawsuits, downtime, and loss of revenue caused by unforeseen events.

Your data backup and retention policies should be integrated with your records retention policies. Because so many of your important records are maintained in electronic form, your data backup retention plan may be more consequential than a safety net for disaster recovery alone. If your data backups are not maintained according to policy you may be subjected legal action, loss of business, or worse.

Internal audits will help you determine if your data backups are being retained in accordance with policy. In some cases, outside auditors will examine your policies and check to make sure that you are actually retaining your records, including electronic records, in compliance with applicable laws. Most auditors will want to see a plan and also verify that plan is implemented and operational. Auditors or not, it is essential that you verify that your records retention policies are implemented and working properly. In particular, backup data retention tends to be more problematic and requires more detailed inspection.

Manual data backup systems can be difficult and time-consuming to verify. It is often the case that media are not properly or consistently labeled. It is also common to find that media is over-written or otherwise mishandled resulting in loss of data that should be retained. The reviewing of logs only offers limited verification. The only way to verify that historical data backup media actually contain the correct data is to physically mount the media and inspect the contents.

More robust automated backup systems usually maintain a catalog of media and their contents. There is no guarantee that the media actually contains the data that the catalog indicates. Although the better automated backup systems protect against improper overwriting or formatting of backup media, they cannot prevent all human error such as mislabeled media.

Online backup services tend to be the easiest to verify. Online backup services maintain a catalog of backup data similar to the way the aforementioned automated backup systems do, except there is no media involved. Because online backup services are usually entirely automated, there is little opportunity for human error. Without the opportunity for media to be mishandled, the online backup system's catalogs tend to be accurate, which makes it much easier to verify that the data backup and retention policies are being implemented correctly.