Legal Obligations for Backup and Recovery

February 22, 2017 | Views: 3399

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Some organizations that handle sensitive data may have legal obligations to backup and store data using a secure methodology. There also may be retention rates that must be adhered to. Some organizations such as healthcare, financial and accounting organizations may not be aware of the exact rules they must follow. Meeting the requirements can be complicated and cumbersome, but it is not impossible.

Many organizations adhere to a very old backup methodology of backing up 2 weeks of data in a rotation and then overwriting the data on the third week. While this practice is cost effective and has been around for a long time, it may no longer meet the needs and legal requirements of an organization. If your company has accounting records or patient records you need to take a close look at the backup, retention and disaster recovery policies enforced by HIPAA, HITECH, and Sarbanes-Oxley.

Some regulations that the Sarbanes-Oxley Act refers to pertains to financial accounting for investor accounts so it is important to understand the types of data your organization is handling and which part of the law affects your business. It is important that if you think you may handle some types of data but you are unsure of your legal obligation for backup and retention that you find someone who has a good understanding of technology and the law to review this for you.

For healthcare organizations there are specified retention rates for patient data as well as an offsite storage mandate and the data must be recoverable and recovery must be tested periodically. All organizations should have a disaster recovery policy and test their methodology at least once per year to ensure data is recoverable and usable.

If you are responsible for backup and disaster recovery within your organization and you are unsure about your legal requirements I have provided some links for you to follow so you can read up on the laws and requirements. Although they may seem complex and in some cases they may be expensive to adhere to, it is not impossible.


Final Rule: Retention of Records Relevant to Audits and Reviews. (n.d.). Retrieved February 16, 2017, from

Overview of HIPAA and HITECH Data Security Requirements. (n.d.). Retrieved February 16, 2017, from

Sarbanes-Oxley Act (SOX) Compliance: Requirements for IT Security. (n.d.). Retrieved February 16, 2017, from

The Truth about HIPAA-HITECH and Data Backup. (2012, March 29). Retrieved February 16, 2017, from

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. This is very helpful. *throws a cybyte gracefully*

  2. Backup and recovery…;_; *cries in corner hugging laptop* My poor lappy just went through hell but came out ok in the end with just a few battle scars, good thing I backed it up. Sorry I know that didn’t really have anything to do with what you said but good job on the article!!! Good info! Thanks man! ^_^ Here…*gives cypoint/byte thingie*

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?