Katrina Teaches Hard Lessons on Disaster Recovery

Katrina Teaches Hard Lessons on Disaster Recovery

By Forrest Whitesides

Continued from the Home Page

New York—If there’s one thing the accounting profession can take away from the widespread destruction of Katrina, it’s that you can’t be too careful when it comes to client data redundancy. Many accountants, architects, medical professionals and lawyers, among others, in the Gulf Coast were scrambling to recover the tons of paper files and gigabytes of computer data destroyed in America’s worst-ever natural disaster.

While the actual file cabinets and computer terminals were sitting under as much as 20 feet of water or had been swept away by hurricane-force winds, firms that had off-site data backup systems in place before the hurricane hit had a much easier time getting their businesses up and running again.

“The first thing a firm should do is conduct a risk assessment and identify which threats need to be addressed,” said Joel Lanz, chair of the Society’s Technology Assurance Committee. Once possible threats have been identified, Lanz said, a firm can then put together a business continuity plan that includes the backup of client and operational data.

“At the very least, you should have some form of on-site data backup in place,” said Andrew Blackman, a member of the Society’s Personal Financial Planning Committee and past member of its 9/11 Task Force. “With on-site backup, such as a tape backup system, you have the ability to take your most recent data with you when you leave every day.” Blackman added that the portability of data is a key component in securing its safety.

“I use rewritable DVDs to back up my client’s data” said Paul Rafanello, a member of the Society’s Technology Assurance Committee and a sole practitioner in Warwick. “I burn two copies when I make a backup. One copy I take home with me, and the other I store at a separate off-site location.”

Although a category four or five hurricane is unlikely to strike New York, other disasters, of both natural and man-made varieties, can affect firms in the area. The terrorist attacks in 2001 are a prime example.

“As far as data recovery is concerned, one of the two main differences between 9/11 and Hurricane Katrina was the geographical area affected,” Blackman said. “With 9/11, a firm in the affected area that had its data backup up off-site just 20 blocks away would’ve been able to get back to business in relatively short order. But with Katrina, some firms would’ve needed their data as far away as 200 miles in order to be certain of its recovery.”

To circumvent the geographical issue, one option is to contract out off-site data storage to companies that specialize in online data backup. These companies typically offer a range of options and pricing plans, and allow for backup of documents, database files and e-mail. With an online backup system in place, a dislocated firm could retrieve their client data from any location with an Internet connection.

“A good third-party service provider may be the answer, but you have to do due diligence and make sure the third party has proper security in place and that they have a disaster recovery plan in place,” Lanz said. “Make sure any vendor you use is SAS 70 certified.” SAS 70 is an authoritative guidance that allows service organizations to disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format.

A comprehensive data recovery plan is critical when disaster strikes, but without regular testing, firms could have a false sense of security.

“Regardless of how you secure your data, you really should have a separate computer that is used solely for testing your backups and to see if your recovery process works and that there are no glitches,” Rafanello said.

“There really is no one-size-fits-all answer to this problem,” Lanz said. “It’s up to each individual firm to weigh the pros and cons of each solution. But no matter what, you should have some kind of backup system in place.”