This article is written by Venkat Ramaiah Chavali, pursuing a Diploma in Business Laws for In House Counsels from Lawsikho.com.

Introduction and Scope

How can you ensure that your business data backup is secure and effective? Good question!

In colloquial American usage when some answers a question with a reply ‘Good question’ it does not mean your question is good; it is an idiomatic expression to say “sorry, there is no answer, or I do not have one”. In the context of this article it is meant to say there are many ways but none with a warranty or guarantee.

We all know what a Deloitte survey established that even small businesses generate data. Any business that accepts any kind of digital/electronic payment, or uses internet, or has social media presence is collecting data about customers, like their names, telephone numbers, identity details, interests, habits, etc.

Backup or ‘data backup’ is a common term in information technology (IT) which means a copy of data stored elsewhere as a necessary precaution to restore the original in the event of data loss. Backup is used in the noun form while back up stands for the process – the verb. Have you not heard the catchphrase drilled into every computer user “Back up before you pack up”? 

Data security means the protection from unauthorized access or use of the data of an entity, including leakage, transfer, alteration, misuse, disclosure, or destruction. 

In this article, further defining of the computer and IT related terms is done minimally. The reason being the field is replete with jargon, and luckily the words have become commonplace. If you come across such a commonly known unknown term, please ask a youngster – not an elder he may be more ignorant than a toddler on these – or better still refer a ‘Glossary of IT Terms’. 

This article is mainly intended to be a primer for small and medium businesses, that are not computer savvy and have only a smattering knowledge of the data loss issues, with focus on backup data security. 

To make the subject lucid an informal tone and colloquial language is used with easy to relate comparisons while not compromising on the quality of the content. 

The Importance of Data & Data Security

Figuratively, data is the assiduously acquired wisdom and building blocks of a business. Its corruption or loss impairs the business at least to that extent till it is restored or reacquired. What hurts more is that leakage, or hacking of data is a double whammy; it not only impairs business but also leads to loss of its credibility, not to speak of the legal issues the business would be mired in. 

Let me explain the importance of data for business. Once you have sufficient data by using proper analytical tools data helps:

1. In making better business decisions
2. In knowing consumer preferences and buying habits
3. Improve customer service and retention
4. Keep track of your transactions and money
5. Movement and use of material and money
6. Plan market strategy, etc.

Thus, data and therefore its security are not only important for above reasons but also a must for statutory compliances. 

While big businesses can generate more data compared to small or medium, the small and medium can benefit more being agile to quickly move and adapt using big data than a behemoth. Let no body think that one must adopt clandestine ways to obtain data, there are ethical and legal ways of purchasing big data by small companies. So, any data a business has is its asset and its loss is not just that but more in terms of credibility and legal liability; hence the importance of keeping it secure. 

How Data is Lost

Wondering why talk of losing data when all we want is to secure it?

The answer is simple: If you know better, you can do better. Let me clarify with a small example. It is common knowledge that when we open/go to unknown sites on the internet we run the risk of importing a virus into our computer system. We open many sites during our daily business that start with either http:// or https://. But have you cared to notice the difference between the two? Yes! The additional ‘s’ at the end of http:// is the difference, which makes all the difference. ‘s’ stands for secure; you are safe to enter that site without the fear of virus (malware). But if it is without that additional ‘s’ we cannot be sure, may be safe may not be safe. Do you see how this iota of additional knowledge helps you do so much better to protect your system by checking before you click open? So, let us now dig a little deep.

Data can be lost by accident or by ill-intentioned human action. 

Accidental loss:

Accidents do not happen; they are caused by ignorance, human mistake, or negligence. They can be easily taken care if there is a will. Majority of these can be prevented by installing a suitable power source, with protections like proper earthing, voltage stabilizer and spike buster that take care of the voltage fluctuations. 

Some Common Mistakes That Cause Data Loss While Backing Up 

• Forgetting to back up
• Not naming the backup files
• Checking back that the backup is properly saved and retrievable
• Not backing up regularly and daily as a discipline (so it becomes a habit and policy)
• Saving backup files on the same disc/hardware as the original files

We will not dwell further on accidental loss in this article.

Loss due to covert mala fide human interference:

There are many ways to skin a cat. Some of them in an ascending order of complexity or danger are – 

• Virus – a malicious program that attaches itself to a legitimate program and alters it; it spreads from computer to computer. 
• Worm – it is a stand-alone malware and does not need a program to attach itself. It uses a computer to spread itself, relying on the security failures of the target computer to access it. 
• Malware – refers to software that damages devices, steals data and causes havoc. There are several types of malware like Viruses, Trojans, Spyware, Ransomware, etc. There are anti-malware tools in the market.
• Bots – are internet robots. They are also known as spiders, crawlers, and web bots. Though they are conceived for performing repetitive jobs like indexing a search engine, they often come in the form of malware. Malware bots are used to gain total control over a computer. 

The above are mentioned because even today many businesses use an antivirus software on their system and think that it is the be-all and end-all of security. They think their data is secure and safe! Unfortunately, it is not. Let me once again reiterate if you know better you can do better. There is no substitute to awareness. 

Distinction Between ‘Data and ‘Backup Data’

Every day of business more and more data is collected and saved on the computer. Since we cannot physically see it growing, we seldom review the data to retain what is useful and remove what is transient and not required later. Data storage cost is a function of size of the data stored. The more data you have, longer it takes for computer to locate it. And, when you lose it, you lose the baby with bath water. 

Data includes all and any information temporary, permanent, confidential, general, sensitive, personal, etc., stored on the computer system of the business. Whereas backup data is only that part of data that is confidential, sensitive, personal, and precious which you cannot afford to lose. It is copied and stored as a backup to safeguard against its possible loss. You do not mind losing the bathwater but not the baby.

Deciding on Backup Data

A survey done by Vanson Bourne for Veritas – the Value of Data – found that on average more than half (52%) of all data in companies remains untagged or unclassified. In other words, it is dark data. Such data that we acquire during business but never need it and use it subsequently is called ‘dark data’. 

The need of businesses is to improve their data management strategies using right tools and remove dark data from their system. ‘More than half of data a business stores is dark data’ as those saving the data do not know the usefulness or otherwise of the data they are storing.

The rule is: Retrieve, Backup and secure data that is to be statutorily protected and, sensitive, personal, and strategic business-related data; eliminate the dark data. 

Some Data Security Platforms (more suited for big business) help in sorting and backing up data – discussed in detail under the heading securing Data and Backup data. 

Securing Data and Backup Data

Ensure your input data is clean and secure. If you backup infected data and secure it, it may be safe from external threat but internally it is getting messed up. It is like painting a termite ridden wooden door, it is safe from external elements but internally it is getting destroyed.

 If your business has multiple users and lot of internet traffic use a VPN (Virtual Private Network), it hides your traffic and IP address from third parties. It encrypts your data so you can safely use public Wi-Fi. 

According to Morgan the three essentials of data security are:

1. Confidentiality: The data should be made accessible only to authorized users.
2. Integrity: Only selected authorized persons and not all authorized users can alter data.
3. Availability: Data must be available to you anywhere any time.

However, such universal accessibility is not a requisite for all businesses and with specific reference to backup data it should be available only to a few designated persons in the eventuality of data loss from working system to restore the system.

To secure data on computer system as such one needs to focus and fortify at three levels of technology and user interface. They are:

• at Application level: interface applications like password manager, encrypted connections, etc.
• at Hardware level: specifically all built-in protections like Basic Input/Output System (BIOS) protection firmware, and the router.
• at Computer Operating System (OS) level: OS is system software which manages software and hardware of computer to provide common services to computer program.

In computer security parlance protection at each level is referred to as a layer of protection. 

Further, to enhance network security it is highly recommended to add a firewall, use a router to the device specified by the Internet Service Provider (ISP). It ensures compatibility and serves as an extra layer of protection. 

Having mentioned compatibility, the need for ensuring compatibility between various interconnected and interacting systems cannot be overemphasized. If they are totally incompatible the system may not perform, it is the best thing that can happen for you know pronto they are not compatible and change accordingly. But, if they are not fully compatible your system will not work at its potential; worse it becomes a weak link – a chink in the security armor – for the hackers, a vulnerability. 

You can add many layers of security solutions available in the market ensuring compatibility. Do remember each layer you add:

1. slows down the system
2. adds to your cost
3. may bar or restrict use of certain applications
4. may call for enhancing the system capacity

One needs to strike a balance between needs, wants, means, and resources. 

Just as a healthy environment, inoculation and good food in themselves do not ensure prevention of an attack by a disease if the person has a weak and vulnerable body, securing data is difficult no matter how many layers you add to an intrinsically vulnerable structure (refer the instance of UIDAI-Aadhar under the heading to follow ‘Some Big time Data Breaches’). 

If you are not using inputs from an outside source or device, you need not worry about security of your data, but it is not practical. The moment you use a pen drive to input information, or a CD or DVD (now obsolete though) you are opening the channel for malware. you are opening flood gates if you are downloading data or opening an unsecure site (http://). Choose a protection software that opens in read-only mode when you open or download information from the internet, you can then exercise edit-option if you are sure of it. Know that you can still download and save in read-only mode even if you do not exercise edit option. 

Since using internet is a high risk, you can think of connecting a low-cost parallel storage device. For example, Morgan Computers RAID 1 device, which contains two mirrored hard disks. If one disk fails, the other is still there. If the device itself fails, you still have the hard disk(s) with data that you can install in another device/computer. Depending on your need and affordability you can choose from simple RAID 1 to RAID 10 for high-end applications. RAID is an acronym for Redundant Array of Independent (or Inexpensive) Disks; it is a data storage virtualization technology.

For large businesses there are other but expensive security measures. The best is to have a suitable Data Security Platform. The platform provides benefits to security like:

• Less number of incompatibilities;
• Ease of training employees;
• Ease of managing and maintenance;
• Small number of components to patch* and upgrade ( *a patch is like a band aid – quick, economic and effective solution when a vulnerability is discovered. It is basically a software. Beware! there are also patches that can incise the data storage providing a subtle access in to and out of data storage.);
• Single vendor to contact for issues related to security etc. 

Put in layman’s terms a good Data Security Platform (DSP) apart from providing security incorporates many standalone technologies like,

• Classification and discovery of data
• Data access governance and permission management
• Retention, archiving and retrieving data
• Advanced threat detection and response

Thus, a DSP gives security with efficiency.

The market is brimming with data security solutions. Choice is both enticing and confusing. Make an optimum choice, take professional help. 

The 3-2-1 Backup Rule

The discussion is not complete without mentioning the time tested traditional 3-2-1 Backup Rule. Make at least 3 copies of data; store them at least in 2 different places of which at least 1 is offsite (preferably remote and safe from storms, floods, earthquakes, and the like in a different geographical area if you can afford). The sequestered backup data copy is extremely difficult to breach than the one being regularly used in daily transactions.

Before summing up the article, having said right at the beginning – under the heading ‘The Importance of Data & Data Security’ – that data loss is a “double whammy” it is incumbent on me to show some recent:

1. Big time data breaches, and
2. Laws and Case laws related to IT and Data

Some Big-Time Data Breaches

The reason for giving details of big-time data breaches is to emphasize that if these giants with so many layers of protection can be targeted by hackers, what to speak of medium and small businesses?

Instance of UIDAI – Aadhaar

You might have heard about the Aadhaar controversy. We all feel confident and believe that our Aadhaar data with UIDAI is secure. Here are some details.

HuffPost India after three-month long investigation revealed that the patch – available in the market – allows unauthorized persons, from anywhere in the world to generate Aadhaar numbers at will. 

Gustaf Bjorksten, one of the experts who analyzed the patch at HuffPost India’s request said, “Whomever created the patch was highly motivated to compromise Aadhaar.” He added “To have any hope of securing Aadhaar, the system design would have to be radically changed.” The experts opined that fixing the vulnerability of Aadhaar data requires changing the fundamental structure of Aadhaar programme as the choice of technology at inception is intrinsically vulnerable. 

SOME WORST DATA BREACHES IN THIS DECADE

ENTITY BREACHED	DETAILS	AFFECTED NUMBER
YAHOO	Year 2013, every existing account with Yahoo was breached. It was reported in year 2016. Thus far it was the largest breach ever to occur.	3 Billion people.
FRIENDS FINDER NETWORKS	Year 2016, the breach affecting over 15 million accounts deleted but had not been purged from the data base.	412 Million people.
FACE BOOK	On Amazon’s cloud computing service, a bunch of records was publicly exposed. It included passwords and location data too.	540 Million people.

Laws Related to IT and Data Protection

In India, the Information Technology Act, 200 (the Act) is the only Act to date – barring the Bill of 2019 – which contains provisions of data protection though does not cover all aspects. Some aspects covered are:

• Section 66 E of the Act explains privacy violation
• Section 72 is on penalty for breach of confidentiality and privacy
• Section 72 A – Punishment for breach of information in breach of lawful contract

Data protection regulations in India and overseas:

• India has recently introduced the Personal Data Protection Bill, 2019 (it is presently being analyzed by the Joint Parliamentary Committee in consultation with various groups). 
• European Union introduced General Data Protection Regulation (GDPR) effective May 25, 2018.
• California Consumer Protection Act (CCPA) signed into law on June 28, 2018.

These regulations impose exemplary (deterring) penalties on the organizations in case sensitive personal data is lost or leaked, they have cross territorial jurisdiction/application. 

Summary and Conclusion

•  If you know better, you can do better
• For daily Data security :
  Back up before you pack up 
• For Data Backup security:

Think before you select (the data to be backed up),

select before you secure, 

secure with the latest (available technology),
sequester and save, that is really the secret!

• To the extent possible and your business warrants adopt or at least adapt and implement the 3-2-1 Backup Rule. If your business can not afford the least that can be done is to have a RAID (Redundant Array of Independent Discs). 

Awareness is a requisite and adaptation of right solutions and continuous upgradation is an antidote to cyber security problems. 

Like happiness security is a pursuit not a destination, and effectiveness is not the absence of problems, it is the ability to forestall and deal with them. For data security like happiness there is no such thing as happily ever after. 

References

[1] BrandPost by Dell Technologies

[2] RAID 1 vs RAID 5: What Are The Pros And Cons? An article in ComputerWeekly.com

[3] VARONIS Inside Out Security Blog on Data Security

[4] HUFFPOST 

[5] PurdueGlobal University (purdueglobal.edu)

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.

LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: