Typically, cyber-resilience and data protection are thought of solely as IT issues. Increasingly though, regulators are pushing for organizations to add resiliency into their businesses as well. Just last month for example, The Securities and Exchange Commission (SEC) adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose material information regarding their cybersecurity risk management, strategy, and governance.
In this blog, we explore the pivotal role backup and recovery play in maintaining compliance and share what you should consider when selecting a backup and recovery strategy tailored to meet your compliance needs.
What do regulations say about data backups?
First, a number of industry-specific regulations stipulate requirements on how backups are performed and stored. For example, the Health Insurance Portability and Accountability Act (HIPAA) affecting healthcare providers in the U.S. requires that exact copies of all electronically Protected Health Information (PHI) must be backed up regularly, encrypted, tested, and stored offsite separately from the original data.
Why must the data be stored separately? Storing both primary and backup data on the same platform can lead to potential risks, as any incident affecting the primary data, such as accidental deletion or a data breach, can also impact the backup data. By storing your backups on a separate platform, you can ensure that they remain insulated from issues affecting the primary data.
In addition to HIPAA, several other industry-specific regulations call out backup requirements specifically:
- DORA (EU): “Financial entities shall set up backup systems that can be activated in accordance with the backup policies and procedures, as well as restoration and recovery procedures and methods.”
- NYDFS: “Maintain backups necessary to restoring material operations. The backups shall be adequately protected from unauthorized alterations or destruction.”
In addition, there are other regulations like GDPR, SEC 17a-4, SOX, CPRA, and others that don’t call out backup requirements specifically, but do outline specific requirements for handling customers’ personal data. This can include retention periods and the type of storage technology.
What do regulations say about data recovery?
As digitization has advanced and the number of cyberattacks and data breaches increase, the regulatory focus has expanded emphasis on restoration and recovery. To that end, an increasing number of regulations now require testing the ability to restore and recover from a backup:
- GDPR: Article 32 ("Security of processing") states that there needs to be an "ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident."
- HIPAA: “Establish (and implement as needed) procedures to restore any loss of data" and "implement procedures for periodic testing and revision of contingency plans.”
- DORA (EU): “Testing of the backup procedures and restoration and recovery procedures and methods shall be undertaken periodically.”
- NYDFS: “Periodically, but at a minimum annually, test its ability to restore its critical data and information systems from backups.”
The updated NYDFS regulation also requires covered entities to track recovery time objectives (RTO) for information assets, which helps minimize data loss and business disruption.
What should you look for in a backup and recovery solution when it comes to compliance?
When tasked with selecting a suitable backup and recovery solution, you must confirm that it complies with all the major regulations, many of which we called out above. In addition, the realm of compliance extends beyond these legally binding regulations. A backup and recovery solution's certifications provide an additional layer of assurance for organizations committed to safeguarding their data assets. While not legally required, certifications like ISO 27001 and SOC 2 carry immense weight. ISO 27001 underscores a vendor's commitment to stringent information security management practices, ensuring that your data is protected in line with international standards.
On the other hand, SOC 2, which focuses on a company's data security, availability, processing integrity, confidentiality, and privacy policies, is indispensable for cloud service providers, data centers, and organizations entrusted with sensitive information. HITRUST, C5, and other certifications also bolster an organization's credibility in data protection.
In short, selecting a backup and recovery solution compliant with the prominent regulations is essential. However, going beyond and achieving certifications like ISO 27001, SOC 2, and C5 reflects an organization's commitment to a holistic approach to data security and compliance.
Achieving efficient and effective compliance through backup and recovery
Organizations that handle SaaS data need solutions that reduce the time and cost of compliance, which is where Own can help.
Own Recover is fully-compliant with GDPR, HIPAA, and other regulations. Additionally, we have achieved SOC 2 Type 2 and ISO 27001 compliance. Recover, available for Salesforce, Microsoft Dynamics 365, and ServiceNow, stores our customer’s backup data independently from the SaaS vendor, enabling business continuity, faster recovery, and fewer data losses, providing a high customer return on investment for SaaS data.
Additional features to support compliance include:
- Bring Your Own Key encryption allows customers to create their own encryption keys to add an additional layer of security to their data
- Blockchain Verify provides customers with third-party verification of regulatory compliance
- Data Recovery Readiness and Response (DR3™) to help organizations test data restoration procedures periodically, and continuously improve their preparedness to recover from data loss and corruption incidents.
To learn more about how Own helps companies with regulatory compliance, see Own Solutions for Compliance Leaders: Simplify data compliance and minimize risk.