This is a guest editorial from Phil Factor.
You might think that, once you’ve added those hotfixes, secured the server room, imposed a security strategy for all your databases, encrypted your data and backups and sorted out your network security, that you could stop worrying about other people viewing your data. Not quite.
The idea that someone might take legal action against you or your company might seem absurd. However, litigation can happen. The typical large US Company faces an average of 305 lawsuits and spends $12 million a year just on litigation, not including settlements or judgments. It is a growing trend, since the Enron collapse, for a company like yours to be compelled by a court to provide a third party with the data in your databases, and to ensure that all the data is accessible. This is called by lawyers an ‘e-discovery request’. If a litigant is given the rights to a broad access of your data, then there is little you can do to control what is sent to them. It is not a pleasant feeling to have to give out data to someone who is locked in litigation with you or your company
This is quite a reasonable thing for a litigant to ask for data from a database. A court needs evidence, and the legal teams for both parties must have a reasonable access to the evidence. Increasingly, reports are regarded as of less use than the core transactional data. If a litigant can argue persuasively that your database could contain relevant material then you must provide it. Of course, you can argue that the request for the data is too broad or burdensome, but you have to argue well in advance. You can also request that the cost of your work in making the data available should be met by the applicant, but I wouldn’t bet on the court agreeing to this.
This adds up to a requirement to retain data backups far longer than the company might need, so that, if someone sues the company, you are in a position to respond to all reasonable requests for data, for the same reasons that you archive and retain e-mail documents as part of your document-retention policy. (You do have such a policy, don’t you?)
Data retention over ‘mandated data retention’ periods of over a decade can be tricky, especially if the database software is no longer in production. You must be able to show that it was impossible to tamper with the data. To make matters more complicated, you will have to be able to supply not just the data but the metadata. Courts don’t like being told that you don’t have the data, and they may even take the view that you are destroying or withholding evidence.
This boils down to the possibility that, you, the DBA, may suddenly be required to produce database backups by a court for transactions going back to a decade ago, and you’ll have to ensure that someone else can make sense of them, they are of the date that they purport to be, and you can prove that nobody has tampered with them.
It may be best for DBAs to ensure that their company has a ‘data-retention’ policy, that the database backups for any corporate data are encrypted to ensure their value as evidence, and that the retention period conforms with the policy.
Phil Factor
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.mevio.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
or now on iTunes!
- Windows Media Podcast - 23.3MB WMV
- iPod Video Podcast - 24.3MB MP4
- MP3 Audio Podcast - 4.9MB
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.