Compliance regulations are defining the ways federal, state, and business organizations are managing their operations. These regulations have many unique requirements, although all have one common need to ensure that organizations can maintain continuous operations and ensure data can be recovered on demand. The regulations also require that each plan be assessed on a periodic basis to ensure disaster preparedness and data availability. EverGreen has experience assisting our clients with ensuring they can meet the following compliance regulations:

• Federal Rules of Civil Procedure - The Federal Rules of Civil Procedure that address the discovery process for electronically stored information ?ESI were amended by the Supreme Court in April 2006. The amended rules require an inventory of the relevant electronic information be presented to the judge within 99 days of from the date a complaint is filed with the court. The Amendments requires the type of data that needs to be collected, where it is stored, and its accessibility. Hefty fines may be levied for noncompliance.

  All federal cases require compliance, and companies need to be prepared to meet this requirement. While the rules take into account the accessibility of the data, its recovery time, and its cost, it is still the obligation of the company being challenged. Many companies are beginning to be aware of these new rules and still consider that their backup process can provide the data. This can be a serious miscalculation as email data is often not retained to the extent need by the courts as defined within the FRCP requirements.

  Once companies clearly understand their obligations, they will need to change their approach to data protection, accessibility, and the ability to present the data in a format required by the courts.

  Additional important Amendment links:

  Rule 26
  Rule 34

• NASD 3500 - The Securities Exchange Commission on April 7, 2004 approved NASD Rule 3500 Series, which requires all its members to have a business continuity plan that is updated at least once per year. The plan must be disclosed by NASD members to their customers. The plan must detail how the member will respond to emergencies that may affect operational continuity. Rule 3500 requires that the plan include the following:
  
  
  • Emergency contact information
  • Description of current operations
  • Alternate recovery sites
  • Customer access information
  • Data backup and retrieval procedures
  • Mission critical applications and systems
  • Communication procedures
  • Reporting and disclosure policy
  • Testing and training processes
  • Management approval of the continuity program

• Sarbanes-Oxley - The Sarbanes-Oxley Act (SOA) of 2002  was enacted to protect against unfair accounting and management practices in the reporting of corporate financial results. There are no direct requirements to have a business continuity plan in SOA. Section 404 states in part:

  "internal control structure and procedures for financial reporting, and contain an assessment as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."

  While a Business Continuity Plan is not required, SOA provides the assurance and reporting methodology for the internal control structure to ensure that financial reporting can occur. If data is lost, or if business processes and IT infrastructure are inadequate to support operational continuity,  reporting will fail to occur. The acid test that auditors use to determine whether a company is a "Going Concern" will be determined based on their perception resulting from the annual financial review and its dependency upon operational continuity.

• FEMA FPC 65 - The Federal Emergency Management Agency (FEMA), which is now part of the Department of Homeland Security, issued Federal Preparedness Circular (FPC 65)  on June 15, 2004. FPC 65 requires all Federal Branch Executive government agencies to have a Continuity of Operations Plan (COOP). The COOP is designed so all agencies can maintain continuity of operations and be recovered in less than 12 hours following any emergency situation. The primary objectives of a COOP are the following:
  
  
  • To ensure continuity of operations
  • Minimize loss of life
  • Mitigate disruptions to operations
  • Define transference of authority
  • Define alternate off-site operations
  • Protection of critical data and records
  • Ensure readiness through training exercises and testing
  • The plan must be capable of being implemented without warning and support operations for 30 days during any disaster situation

• HIPAA - The Health Insurance Portability and Accountability Act of 1996  requires that the Department of Health and Human Services develop a standard for handling medical transactions and protecting individual rights as they relate to medical records. Each entity that has access to an individual's records, as designated in section 142.302, must assess potential risks and vulnerabilities to the individual health data and develop, implement, and maintain appropriate security measures. The IT infrastructure must meet pre-specified continuity of operation and security requirements. Business partners who are involved with the exchange of records must also protect the confidentiality and availability of exchanged data. A continuity plan must be available and regularly updated for responding to  system emergencies, preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster.

• NFPA 1600 - The National Fire Protection Association has issued NFPA 1600, Standards for Disaster / Emergency Management and Business Continuity Programs Edition 2004. The standard defines a common set of criteria for assessing, mitigating, developing, and testing disaster, emergency management, and business continuity plans. NFPA 1600 has been endorsed by DHS/FEMA, NEMA, IAMA, and the American National Standards Institute. NFPA 1600 is to be used as a standard by both public and private organizations. This common approach promotes the need for public and private organizations to coordinate their emergency response activities in order to simplify communications during emergency situations.