If you back up your data to a managed service provider’s server or to the cloud, does your provider need to meet all of the data security standards you do? This vexing question becomes more complex as the number and scope of standards expands.
The Payment Card Industry Data Security Standard (PCI DSS) is a contractual obligation between credit card providers VISA, Master Card, and American Express with companies that that process credit card data and maintain personally identifiable information (PII). The standard is very prescriptive as to how data is protected and transmitted, but it does not require that a third party storing such data be required to meet the same data security requirements as the company that owns the data. That means it is perfectly acceptable for a company that processes credit card data and that has PII, such as credit card numbers or Social Security Numbers, to encrypt the data and then store it offsite. — just so long as your storage provider does not have the encryption keys and has no way of decrypting the data.
The key to protecting data that is backed up or archived is encryption. According to the PCI DSS standard, “Implement and use strong cryptography (such as SSH, VPN, or SSL/TLS) for encryption of any non-console administrative access to payment application or servers in cardholder data environment.” If data is encrypted, the standard allows for that data to be transmitted to a third party without additional security measures at the receiving site. That said, it behooves you to use secure data backup partners, regardless of what the standard say.
That is not the case for all standards. If, for example, your company is governed by The Health Insurance Portability and Accountability Act (HIPAA) of 1996, then your provider will indeed need to be HIPAA compliant as well. Federal regulations are very strict when it comes to medical records, although there is plenty of flexibility in the standard that defines who can have access. Essentially, authorized individuals include everyone from medical practitioners and hospital or clinic personnel to insurance adjusters and clerks.
Some non-medical or medical-related groups, such as law enforcement and federal intelligence agencies, also can obtain access to HIPAA-protected medical records, with or without a warrant. This becomes an issue when the records are held by a third party, such as an MSP. If a warrant is required to access confidential corporate data, only the company that physically holds the data – the MSP or cloud storage provider, for example – would get the warrant; the owner of the data might not know the data is being released.
If your company is bound by any data security standards, it is incumbent on the IT manager to know if that data can be encrypted and stored off-site. Failure to follow the rules set forth in the standards could end up costing the data’s owner with significant fines, loss of your corporate reputation, and in some cases, potential criminal litigation.
For more information on backup and disaster recovery, visit http://www.genie9.com
Data Security Backup Rules