Disaster Recovery

29 September 2006

Fire, earthquake, hurricane, flood, terrorism and sabotage are just a few of the ways that you could lose your entire computer operation almost instantly. Is your business prepared for these possibilities?

When Hurricane Andrew blew through Miami, my house was about one mile from the northern eye wall. I watched its exterior walls oscillate and listened to roof trusses straining and shifting in the wind. I always thought that it felt like being on the wrong side of an artillery strike. At any moment, the house could have come tumbling down or missile like debris come flying through. The protection for my children consisted of mattresses over their heads not Kevlar armor.

When I walked outside after the storm, the level of devastation was beyond anything I'd ever experienced. It looked like pictures of the most catastrophic war I'd ever seen, but worse. No camera could truly capture my experience because I think the focus of any lens is too narrow. Experiencing this scene personally was like nothing a camera had ever conveyed to me.

Once you've experienced nature's power like that, you see the world a bit differently. Disaster is no longer something that can only happen to other people. Nature is no longer something that you can always tame.

Hurricane Andrew taught Burger King, American Bankers Insurance and others that you can lose your entire corporate headquarters almost instantly and with no warning. Unfortunately 9/11 taught many businesses in New York that terrorism can do the same thing.

Your business needs a comprehensive disaster plan. My focus today will be your computers.

The goal on any computer disaster plan is to protect the continuity of your business in case of disaster. Consider just a few of the essential corporate functions that rely on your computers. Consider how you would do payroll, order entry, inventory, accounts receivable, and other functions without your computers. Not only might you not be able to do these and other things, but what if all your data including your backups were destroyed. You may just be out of business.

The goal of any disaster plan is to reduce your financial losses. In some industries, you may even have regulatory requirements that mandate a plan. Some companies have contracts with customers that require an effective disaster plan.

Disaster Recovery Alternatives

There are companies in the business of providing disaster recovery services for your business should you suffer a catastrophic loss of your computing ability.

A simple Internet search engine query like "disaster recovery computer" will direct you to several alternatives.

These companies provide a whole array of services. Most importantly, they'll make their computers available to you so that you can be back in business as quickly as possible. Whether it's mainframes or PCs or configurations in-between, they have the hardware and expertise to assist you in times of disaster.

Typically, you pay a yearly subscription fee as a kind of insurance policy. If you suffer a disaster, you "declare" an emergency and the disaster plan kicks in. The level of service you get will depend on what you contracted for when you signed on with them.

In evaluating your alternatives, you should look at several things and don't be shy about it. You're looking at the company that may be giving your business life support at a time when it's in critical condition.

The first item is the facility. Does it use halon fire suppression instead of sprinklers? Is it physically located in an area where there is less risk of flood, earthquake, and crime?

Does the company use the latest technology to serve its clients? Is their hardware inventory up–to–date?

Do they provide you with detailed audit trails? Do they have comprehensive alarm systems including motion, sound, temperature, and humidity? Will your data be co-mingled with other data?

Are their vehicles customized for transporting magnetic media? Are their containers constructed well? Are they foam–lined, fire, water and shatter–resistant?

Finally, check their references. Talk to clients who've had disasters and used their recovery services. Ask about their experiences in their time of need. It's an unfortunate fact that any company supplying disaster recovery services over the last few years has had their services tested by companies caught by 9/11, Katrina, or other disasters. I suggest you use their client's pain as you do your research.

When you do pick a company, be sure to have a lawyer familiar with these types of contracts negotiate your agreement. Your lawyer needs to be familiar with computer disaster planning and the issues unique to technology contracting. You're buying very specific services as detailed in your contract. After the disaster is not the time to find out that your contract doesn't give you the services you thought you were getting.

Tips for your Disaster Plan

Start by creating a team that includes leaders from all major segments of your business. Your goals are survival with minimal losses and a prompt recovery to normal operations. You must first analyze your risks, then identify your critical functions,examine your vulnerabilities, and then prepare the plan.

You will need to answer questions like how will various disaster scenarios impact your business. Which business operations must you resume immediately after a disaster? How long will it take to get other operations up and running? What resources do you need in place in advance?

Assume the worst while developing your plan. Assume that your facility is a complete loss with nothing salvageable. I know that I saw plenty of this scenario for a lifetime after Hurricane Andrew.

Be sure to review your insurance coverage. Look for valuable papers coverage. This will reimburse you for the cost of recreating valuable documents and re-inputting data.

Make sure that your policy covers software as well as equipment rental.

Next, make sure that your backup procedures include off site and geographically remote storage of data. Earthquakes, flood and hurricanes are just a few examples of calamities that cut a wide swath. Even backups on opposite sides of a large city can both be destroyed simultaneously in an earthquake.

Finally, the last step is test, test, and test again. No disaster plan is complete without testing. Absolutely no test plan works as written the first time. Yours will not be the first to change this rule. The unanticipated always happens. Sometimes it's the stupid stuff like the tape is in the wrong format for the disaster recovery center's computer. Whatever it is, anticipate the unanticipated. Your best insurance is a well–tested and periodically rehearsed disaster plan.

Mark Grossman's "TechLaw" column appears in numerous publications. Mark Grossman has extensive experience as a speaker as well. If you would like him to speak before your group or corporate meeting, please call (305) 443-8180 for information.

You can find a TechLaw archive at: www.DeWittGrossman.com.

If you have any comments, please send them to MGrossman@DeWittGrossman.com.

Disclaimer: The advice given in the TechLaw column should not be considered legal advice. This newsletter only provides general educational information. You must never rely upon the advice given here. Your individual situation may not fit the generalizations discussed. Only your attorney can evaluate your individual situation and give you advice.

Except as provided below, you may feel free to forward, distribute and copy the TechLaw column if you distribute and copy it without any changes and you include all headers and other identifying information. You may not copy it to a Web site.