Section 24.1. Business Reasons for Data Protection

24.1. Business Reasons for Data Protection

Like many other IT functions, the objective of any data protection strategy is to mitigate risks, reduce costs, or improve service levels.

24.1.1. Mitigating Risk

The primary job of a data protection system is to mitigate risk. In the IT world, risk mitigation is generally synonymous with data availability, internal/external security, and regulatory compliance.

24.1.1.1. Data availability

Many businesses today require that users and business applications have access to critical information 24 hours a day, 7 days a week, 365 days a year (24x7x365). Businesses that cannot access critical information may be unable to perform one or more key functions such as taking new orders or processing existing claims. Along these same lines, partners of these businesses can experience problems taking and processing orders if they don't have access to this information. Planned and unplanned outages of even a single system can therefore have serious ramifications that affect the business at hand, as well as the businesses of partners and customers.

The consequences of not being able to access data when needed can be serious and can include lost revenue (see the section "Reducing Costs," later in this chapter). Worse still, public news of these types of events can have far-reaching consequences on all parties involved, affecting brand names and reputations.

24.1.1.2. Internal/external security

Chances are good that the information that drives one business is coveted by another. In fact, to the surprise of many businesses, large and small companies often go to extreme measures, including engaging in corporate espionage, simple mischief, and electronic terrorism, to get access to key competitor customer lists, development plans, and intellectual property.

Identity theft, or identity fraud to some, is another source of concern for IT departments as they carry out data protection strategies. A customer's name or other identifying information (such as address, birth date, and identification numbers like U.S. Social Security numbers) is about all someone needs to fraudulently empty bank accounts or gain access to credit.

Theft of or access to strategic business information can also have a number of serious business consequences, including loss of competitive advantage, loss of good corporate image, government-imposed fines, and even the loss of a business. All of these have happened to one or more major businesses in the last few years:

• Sadly, more than one company ceased to exist on September 11, 2001 when it was discovered that their hot-site was in the second tower.

• The dreaded "adverse inference"^[*] instructions were given in more than one major U.S. lawsuit, resulting in a judgment for the plaintiff and hundreds of millions of dollars in fines.

  ^[*] Adverse inference is when a judge instructs a jury that the absence of a given piece of proof suggests that the claims the plaintiff is making are correct, even if the actual evidence is not present. It is an extreme measure used only when the judge feels the actual evidence was destroyed or covered up.

• The reputation of several major companies was irreversibly damaged when it was revealed that they had not maintained control of the personal information of their customers.

24.1.1.3. Regulatory compliance

Regulatory compliance adds another layer of IT risk. Businesses today must contend with an increasing number of government and nongovernment regulations. For example, organizations that store the medical information of U.S. citizens are subject to the Health Insurance Portability and Accountability Act (HIPAA). Financial organizations doing business in the U.S. must address the Securities and Exchange Commission (SEC) 17a-4 rule requirements, and industries of all types are accountable to Sarbanes-Oxley (SOX) stipulations. Anyone doing business with residents of the European Union will be very familiar with the Data Protection Directive of 1998, which governs the control and access of personal information, such as "an identification number or...one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Each major country in the world either has or is developing similar regulations. The risks of noncompliance are serious and can include fines that are often in the hundreds of millions of U.S. dollars, prosecution of key corporate officers, or a loss of business such that the organization is forced to close its doors.

24.1.2. Reducing Costs

When data is not protected properly, businesses can rack up a lengthy list of hard costs (such as fines levied on an organization in an electronic discovery suit) and soft costs (such as missed business opportunities or damaged reputation). An effective data protection strategy is able to minimize these costs by ensuring that data is available to authorized users who need it, when they need it, and according to business objectives.

24.1.2.1. Downtime costs

If the information that a company uses to generate revenue is unavailable, revenue is lost. However, just how much revenue a company ultimately loses depends on a number of factors including the type of business, the type of data that is unavailable, and how long the data is unavailable. The monetary cost can range from hundreds to millions of U.S. dollars per hour of downtime.

But downtime can also spell missed opportunity, which, though more difficult to quantify, may have equally lasting consequences for revenue. For example, customers who are unable to interact with a company because key information (such as data needed to process orders) is unavailable may choose to take their business elsewhere either temporarily or permanently. A long-time customer may be more willing to excuse downtime than a first-time customer.

Downtime also translates into a variety of other costs, including wages (to wit, paying employees to do a job they can't perform when the data is unavailable) and even additional storage costs in the form of extra backup copies. Employees, in particular those who do not believe their information is being protected properly, may keep extra copies of critical information on disk, tape, and other storage media. Depending on the amount of extra copies made and the type of storage media used, the added cost can be substantial.

24.1.2.2. Electronic discovery

Electronic discovery is a term used to refer to the practice of requesting information that has been digitally stored. For example, in a lawsuit a company may be ordered to provide all emails to and from a given employee or containing a certain set of keywords. The SEC may order a brokerage firm to forward all emails containing the words "promise" and "guarantee." The EU may request proof of compliance to the Data Protection Directive. If a company is not set up to retrieve information in this fashion (that is, if this type of information is not immediately available), the costs of satisfying an electronic discovery request can quickly become quite large. While a defendant can petition the court to declare such costs unreasonable, a given judge may or may not grant their petition. Plenty of precedents in various state and federal cases show such requests being denied.

24.1.2.3. Security breaches

A security breach is the result of a type of unauthorized access to company information. As with downtime, the associated costs of a security breach can be difficult to quantify and can vary greatly among companies. Laws governing security breaches vary by location. Some U.S. states require companies to publicly disclose security breaches that can be financially devastating; others do not. Depending on the industry, a company may or may not be subject to a fine due to a breach. Companies doing business with persons who live in the European Union are subject to how the member country met the "judicial remedies, liability, and sanctions" chapter of the Data Protection Directive.

24.1.2.4. Data classification

Not all information has the same value within an organization, and it shouldn't be treated as if it does. Doing so can significantly increase data protection costs. For example, depending on the industry, an archived copy of a three-year-old order may not have the same value as data pertaining to a new product or service. However, many organizations mistakenly apply the same level of data protection to both types of information and store both on costly primary (or high-end) disk.

The key here is to classify information based on the age, regulatory status, and business importance of the data today and over time and then match storage systems and data protection levels accordingly. Companies that follow this type of plan can significantly reduce the total cost of ownership (TCO) of their storage resources.

24.1.3. Improving Service Levels

What does data protection have to do with business service levels? More specifically, how can better data protection help companies improve these levels? It boils down to the age-old dilemma of accessibility versus security: the more available information is to various applications, the greater the potential business benefit. However, the more users who have access to information, the greater the likelihood that someone without proper authorization can gain access to that information.

Companies that "lock down" mission-critical information are missing out on clear opportunities to increase productivity throughout the enterprise. The challenge is finding a way to strike a balance between accessibility and security.