Data privacy has been in the news a lot lately, and reports of information compromise are frequent. Countries are getting serious about data privacy and are imposing stiff fines for failure to adequately protect personal information. According to King and Spalding, in a March 25, 2010, Corporate Practice Group Client Alert,  ”The UK data protection authority,  the Information Commissioner, will have powers to issue fines of up to £500,000 against companies who breach UK data protection laws from 6 April 2010.” King and Spalding go on to explain that the power to impose the fine can be exercised if “the Information Commissioner is satisfied that the breaches are ‘serious’ and of a kind likely to cause substantial damage or distress and provided the company either deliberately breached data protection laws or knew (or should have known) that there  was a risk that a breach would occur but failed to take appropriate action.”

These laws are focused on the unauthorized release of personal information, not the protection of information against loss, deletion or destruction. At the same time, however, laws already exist in some industries, such as financial services, which mandate disaster recovery capabilities and disaster recovery testing. In addition, laws, such as the  Safety Act, which requires the preservation of information, have been introduced in order to improve the ability of law enforcement organizations to locate individuals who are engaging in illegal activity on the internet.

What is interesting about about some of the information privacy laws is that liability can be assigned and fines assessed even when companies do not know that a risk of data compromise exists.  The requirement is that they “should have known.”  It’s a matter of corporate responsibility to know what is possible and take reasonable efforts to protect against bad events. It is not difficult to imagine that a similar responsibility test may be applied in disaster recovery and data retention laws.  Organizations will likely be held accountable for what they “should have known,” if they failed to act. Given advances in data replication, deduplication, storage tiering, and data archiving technology, organizations should know that all data can be affordable replicated to multiple sites, all data can be protected through a wide range of disasters, and all data can be affordable archived. Consider yourself informed.