Over the past decade, major legislation has been passed affecting the way public companies, financial institutions, and medical care providers manage and store their data.
Why Dps online backup makes compliance much easier
| • automation in moving the data off-site | |
| • audit trails | |
| • encryption | |
| • preservation of all iterations of documents | |
| • built-in redundancy |
| • Sarbanes-Oxley (SOX) | |
| • SEC/NASD | |
| • HIPAA | |
| • Graham-Leach-Bliley (GLB) | |
| • Internal Revenue Service (IRS) |
Sarbanes-Oxley (SOX)
How DPS Enables Clients to Comply with SOX:
Requirement: Information cannot be tampered with or altered by any employeeAbout SOX
At DPS, data is always encrypted with 256-bit encryption, and DPS does not have access to the password.
Requirement: Trail of transactions must be discernable and kept in sequence
At DPS; all iterations of a document are serialized, not overwritten.
Requirement: Audit trails
At DPS, access is date and time stamped by user each time a document is accessed.
Requirement: Information is available only to client's authorized personnel
At DPS; client access is only through authorized personnel with the password.
Requirement: Records must be accessible
At DPS; all backups are immediately available 24/7.
Requirement: Certain data must be maintained for not less than 7 years
At DPS, data will remain in the DPS vaults for as long as the client chooses to retain it. Retention is set during configuration, so once
configured the data is automatically stored for that period.
The Sarbanes-Oxley Act (SOX) of 2002 is one of the most important laws impacting public corporations to be passed in many years. The purpose of SOX is to protect investors from a continuation of the many accounting scandals over the past decade. The SOX places the onus on companies and registered accounting firms to comply with stringent rules regarding the accuracy and reliability of specific information by strengthening maintenance requirements of records, and the auditing/reporting of these records.
Some of the provisions of the Act define what must be maintained, how long relevant material must be maintained, accounting procedures requirements, and consequences (criminal and civil) for failure to follow the Act. (There is no specific language about the mechanism or method of storing information in the Act). In placing a more rigorous requirement on financial reports the storing of the records becomes vitally important because the trail of transactions must be secure. The regulated companies in choosing a storage method will therefore look to a format that will insure it can satisfy the legal requirements of the SOX, in other words, the increased use of online remote data storage facilities/programs.
Since an online computer data storage facility is not privy to the contents of the information it stores for a client, the facility is not responsible for ensuring that its customer is in compliance with what is being kept or who in the company (including independent auditors) has access; but is accountable for the availability and security of the information being stored. The online computer data storage facility must have safe guards in place to ensure quality control standards include the following:
| • That information stored cannot be tampered with (altered) by any employee; | • That the client can ascertain when the information was created; (The records kept must allow a trail of transactions to be discernable so that ongoing transactions are kept in sequence.) | • That safeguard is in place to ensure that information is available only to the client's authorized personnel; | • That records are accessible whenever needed; and | • That the facility has the ability to maintain the data for the period stated in the Act. (Section 103 (a) (2) (A) (i): audit work papers and other information rating to any audit report is to be kept for a period not less than 7 years). |
SEC/NASD/NYSE
How DPS Enables Clients to Comply with SEC/NASD/NYSE:
Requirement: Verify automatically the quality and accuracy of the storage media recording process
Requirement: Serialize the original, and, if applicable, duplicate units of the storage media, and time-date for the required period of retention the information placed on such electronic storage media
• At DPS, data is verified automatically every time a backup takes place.
Requirement: Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable
• At DPS, even if data is restored to the client system, the original remains in the vault in the same exact state as the initial backup until it is cycled off at the end of the period chosen (whether that period is a day or 7 years). The DPS automated process and subsequent detailed reporting gives regulators a clear idea of the chain of custody of the stored information and also rapid access, should it be required. All access to the stored data is documented and time/date stamped.
Requirement: Store separately from the original a duplicate copy of the record stored on any medium acceptable for the time required
• At DPS, data is available for online restores 24/7, 365 days a year. All backups are stored with the catalogs (indexes) and accessible to authorized users at all times.
• DPS online backup uses a process that backs up the original and duplicates it to a remote location. This is not a "mirrored" process, but a process that insures that the original data and any duplicate copies are identical. The data is stored on fault-tolerant disk media.
Health Insurance Portability and Accountability Act (HIPAA)
How DPS Enables Clients to Comply with HIPAA:
Requirement: Electronic personal health information (ePHI) must be protected against any reasonably anticipated threats or hazards.
Requirement: Access to ePHI must be protected against any reasonably anticipated uses or disclosures that are not permitted or required by the Privacy Rule.
• At DPS, data is housed in two separate Tier 4 data centers (highest level). Both the primary center and the secondary remote center are heavily secured.
Redundant fail-safe systems protect the data in every step of the backup and storage process.
• At DPS, data is encrypted before transmission and is always maintained in encrypted state.
About HIPAA
The Health Insurance Portability and Accountability Act of 1996 imposes standards for the privacy and protection of all health information that can be linked to individuals. Health and Human Services (HHS) has published final HIPAA regulations that affect virtually every area of health-related organizations in the United States, from the one-physician office to hospitals, health systems, HMOs, health care support services, and others. Part of this act is focused on the secure storage and transmission of confidential patient data over computer networks. Privacy regulations were released in December 2000. They were made final on April 14, 2001, and went into effect in April 2003.
Non-compliance carries stiff civil and criminal penalties.
All health care organizations are affected in some way by HIPAA. The entities that are affected include all health care providers (even one-physician offices), health plans, employers, public health authorities, hospitals, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
A broad definition of personal health information (PHI) includes - All individually identifiable health information in ANY form or media including subsets of health information such as demographics. The HIPAA privacy mandate defines who is authorized to access information (the right of individuals to keep information about themselves from being disclosed). HIPAA requires the ability to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure integrity, confidentiality, and availability of the information.
Healthcare organizations are required to individually assess their security and privacy requirements and take suitable measures to implement electronic data protection (both while in transit and during storage). If the data is processed through a third party (DPS), entities are required to enter into a chain of trust partner agreement. This is a contract in which the parties agree to electronically exchange data and to protect the transmitted data. The sender and receiver of data are required and depend upon each other to maintain the integrity and confidentiality of the transmitted information.
Civil Penalties
The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).
| HIPAA Violation | Minimum Penalty | Maximum Penalty |
| Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA | $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to reasonable cause and not due to willful neglect | $1,000 per violation, with an annual maximum of $100,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation due to willful neglect but violation is corrected within the required time period | $10,000 per violation, with an annual maximum of $250,000 for repeat violation | $50,000 per violation, with an annual maximum of $1.5 million |
| HIPAA violation is due to willful neglect and is not corrected | $50,000 per violation, with an annual maximum of $1.5 million | $50,000 per violation, with an annual maximum of $1.5 million |
Criminal Penalties
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Graham Leach Bliley (GLB)
How DPS Enables Clients to Comply with Graham Leach Bliley (GLB):
Requirement: Preserve the records exclusively in a non-rewriteable, non-erasable format
Requirement: Insure the security and confidentiality of customer information
• DPS preserves the records exclusively in a non-rewriteable, non-erasable format.
Requirement: Protect against any anticipated threats or hazards to the security or integrity of such information
• At DPS, data is 256bit encrypted & compressed before transmission and is always maintained in compressed, encrypted state.
Requirement: Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
• At DPS, data is housed in two separate Tier One data centers. Both the primary center and the secondary remote center are heavily secured.
Redundant fail-safe systems protect the data in every step of the backup and storage process.
• At DPS, access is restricted by password authentication.
Access to data is date and time-stamped by user, providing a clear audit trail.
About GLB
The Gramm-Leach-Bliley Act (GLB) was enacted in 1999. Among the provisions contained in the Act is a set of rules designed to protect the privacy interests of individuals in their interactions with various financial institutions. Almost all organizations that deal with non-public personal information are required to abide by GLB.
Affected organizations must provide reasonable administrative, technical, and physical safeguards to protect the customer's information from unauthorized disclosure, alteration, or deletion. The regulations also require organizations to take reasonable steps to engage and utilize only services providers that are capable of safeguarding the protected customer information.
Internal Revenue Service (IRS)
How DPS Enables Clients to Comply with Internal Revenue Service (IRS) Requirements for Businesses Using Electronic Media:
Requirement: IRS requires organizations that use electronic medium for transactions generate adequate electronic documents to support those transactions and retain these electronic documents for IRS audit and verification.
• The DPS service allows secure storage for the period the IRS requires.
Business Solutions
In today's around-the-clock e-business environment, data volumes are growing at an explosive rate. Protecting this information is crucial. Companies need immediate and constant access to critical information to ensure business continuity when disaster strikes.
Most backup solutions make restoring data a cumbersome and risky process. Manually retrieving off-site tapes, and recovering files from these tapes, can be problematic for several reasons. With Internet Vault you eliminate these issues. Our automated online backup solution guarantees that it gets done. Off-site transmission and storage provides a necessary safeguard for your data, while under the protection of industrial-strength encryption. And instant access to your data allows quick and easy recovery. In addition, your cost savings are not only realized in the lack of hardware & software costs, but also in the amount of time saved using this technology.
Using DPS online data backup service is simple. Our engineers have taken great strides in making sure our data recovery process is easy to manage and straightforward in design. The ability to restore specific files and data components on the fly, and do it quickly, is our core offering. However, our advanced functionality and enhanced features offer much more, and give us major advantages over our competitors.
DPS is the solution of choice for companies who want to take the hassles out of their traditional backup routines and transition to a highly secure and easy to manage off-site storage solution. To learn more about how your company can integrate DPS Enterprise Online Backup and recovery service into your backup plans, please fill in the online form.
Secure Online Backup
At DPS, we realize the importance of each component in the provision of secure online backup. We deliver reliable data protection by setting ever higher goals for quality, performance, and customer satisfaction.
| Software |
• Industry-leading proprietary backup software • Includes modules for Exchange and all Databases • Open File Management software • Over 1,000,000 users worldwide |
| Hardware |
• Finest available - selected for performance and reliability • Fault tolerant with standby "hot spares" and replacement stockpiles • Continuously upgraded |
| Support |
• Knowledgeable, experienced technicians • 24 x 7 Real-time call center support • Rapid response team - when you need your data fast! |
| Facilities |
• Utility-class Data Centers • Super-fast fiber optic connections from multiple separate Tier 1 Internet service providers • State-of-the-art fire suppression and environmental controls • Multiple power systems |
| Operations |
• Redundancy built into every step of our service • 24/7 onsite staffing and monitoring • Security controls incorporated in every process |
