The IT manager at Cancer Care Group, P.C. thought nothing of throwing a backup tape which contained the names, addresses, dates of birth, Social Security numbers, insurance information and clinical information of approximately 55,000 patients in the back seat of their car (read the article).
They probably did this every week for years, years before HIPPA existed, in order to comply with their disaster recovery procedures. What they didn’t think about was what would their legal and compliance teams think about this?
When organizations IT departments work in a vacuum and don’t understand the implications of preserving and archiving data to tape and then carelessly transporting these records outside the protection of the corporate environment, they put their organization at harm financially.
Data governance should not take place in the back seat of a car. It should be in corporate conference rooms where IT and legal collaborate to determine what is the best course of action to protect and manage sensitive corporate records. Data governance means knowing what exists, where it is (even backup tapes), and how it is managed according to policy. I am assuming for most organizations this would not include the back seat of a car.
When IT made the decision to move data offsite via backup tapes in order to fulfill their disaster recovery strategy, they cost the organization $750,000 in fines, years of litigation and a multiyear corrective action plan that is to be monitored by Department of Health and Human Services (HHS), not to mention public embarrassment.
In today’s legal and regulatory climate it is astounding that IT organizations have the freedom to carelessly manage sensitive corporate records. Decades of corporate records archived on backup tapes are stored in salt mines, basement cabinets, employee’s garages, even backseats of cars apparently.
How will organizations implement sound policies and procedures in compliance with regulations like HIPPA if they don’t even know what they have or where it is?
Tapes are a great, cost-effective tool for backup, but disaster recovery tapes aren’t a capable archive. Archiving data from tape, including the legacy stockpiles, is critical in forming a sound data governance policy and securing data from compliance issues, data breaches and the back seat of a well-meaning employee’s car.