LEGAL ISSUES

Can Your Company Be Liable For Not Implementing DR Plans?

By YATISH MISHRA

Recent domestic terrorism has increased the awareness for the immediate need of disaster recovery. Yet, many high-level executives don’t appear to be making disaster recovery a top priority. That may soon change. In light of current legal developments, companies may be exposing their business, directors, and officers to potential liability by not implementing a disaster recovery plan.
The legal issues started to emerge when the federal government authorities began announcing ongoing terrorist alerts. In the eyes of some courts, these warnings could link terrorist attacks with a company’s fiduciary duty to implement programs that protect its human, physical and financial assets against a “foreseeable” event. If a business fails to institute a disaster recovery plan prior to suffering a foreseeable event, such as an act of terrorism, the company could face negligence claims and shareholder lawsuits. As a result, the 60-80 percent of businesses still operating without a formal or tested disaster recovery plan are left with little choice but to implement an adequate contingency plan or risk the legal consequences.
The 1993 World Trade Center bombing introduced many U.S. corporations to domestic terrorism. Although the corporate world considered another domestic event a possibility, for the rest of the decade, many executives chose to ignore funding a disaster recovery plan. During that time, terrorism/sabotage became the fourth leading cause of business interruptions in the U.S.


So why hasn’t this threat prompted companies to implement disaster recovery plans?
One of the primary reasons is the challenge of convincing executives that an effective DR program is a sound investment. In a time when high-level executives are trimming costs wherever possible, justifying an expense that doesn’t increase revenue or productivity can seem like an impossible sell.
Let’s face it; a disaster recovery plan does not pay off unless a company experiences a disaster. But when you consider that 94 percent of companies that experience a catastrophic data loss go out of business within two years, the value of an effective DR plan becomes apparent. Combine those staggering statistics with the potential legal liability, and not only is a company dealing with major losses in sales, market share, customer confidence, equity and stock value, but a lawsuit could prove to be the fatal blow.
Tragically, it took the events of Sept. 11 to change many executives’ attitudes about the importance of disaster recovery. Today’s harsh new realities are steering companies away from the traditional “cross your fingers” mentality, which for years created a false sense of security. Our newfound awareness of disasters, and their devastating repercussions, is forcing businesses to rethink these issues and re-evaluate their current plans. Auditors are asking board of directors what their specific company’s disaster recovery plans are, which in turn is forcing companies to implement an emergency plan as part of their overall enterprise survival planning strategy.
Emerging threats and potential legal liability are forcing companies to address the harsh reality – that if they don’t take the necessary steps to protect their business assets from terrorism, they may be held accountable. Corporate directors and officers must be proactive if they plan to adequately meet their disaster recovery needs. As responsibilities for disaster recovery planning shift from the IT department to the executive office, the one question that companies need to ask themselves is: have they taken the appropriate steps that a reasonable company would have taken to protect its corporate assets from a foreseeable event? If not, they could be found guilty of breaching their legal duty of implementing a disaster recovery plan in light of a probable event.
While it’s true that many companies may never be fully prepared for the types of unimaginable events like 9/11, taking precautionary measures is becoming increasingly important to reduce their risk of legal damages following a disaster. Once perceived as a costly expenditure, disaster recovery plans are earning the reputation of being one of the cheapest forms of insurance available. The key to appreciating the full value of disaster recovery is by understanding what’s at stake. The bottom line is the better-prepared companies are for a potential disaster, the more they can increase their chances of survival.

Expanding The Scope Of Disaster Recovery

While a disaster recovery plan can help a company reduce its risks and legal liability following a tragedy, events like Sept. 11 are expanding the scope of DR strategies. When re-evaluating your current contingency plans, you should consider the following:

- Assess all departments and their processes
and procedures
A professional assessment of each department and business unit can provide a clear understanding of the impact each department plays in the overall business process. A thorough review of operations, engineering, finance, human resources, customer support, sales, marketing, technology and information systems can help you understand your company’s normal operating procedures. In addition, it’s important to consider regulatory, contractual and business requirements.

- Perform analysis to identify, prioritize gaps
and business risks
An analysis should be conducted to identify all gaps and vulnerabilities within your company. Identify the mission-critical severity of each business process to determine the precise solution required to meet your company’s objectives. Understanding your reliance on external resources, such as depending solely upon a single vendor for a critical function of your business, is vital to developing an effective DR plan.

- Architect and develop disaster recovery plan
Understanding your company’s recovery timeframe and business tolerance can help determine the right type of plan for you. The systems that require the highest levels of uptime are good candidates for a highly available, “hot” DR environment. Real-time reliability costs more; therefore, it should only be used for functions that by their nature demand it. For example, a 48-hour network outage would put 20 percent of Fortune 500 companies out of business. You should also keep in mind risk-planning assumptions like personnel, transportation and communications requirements when designing your plan. Following the events of Sept. 11, the government’s grounding of all U.S. flights emphasized the importance of travel alternatives, as well as the location of a company’s backup facility. Additional considerations should include defining a physical and logical security plan, determining what outsourcing opportunities are available, and selecting the tools and solutions needed to implement your DR project plan.

- Implement disaster recovery plan
In order to implement a successful DR plan, you need to create a budget, define a timeline and allocate the appropriate internal and external resources. The overall project manager must have senior management support and buy-in from all departments and those directly involved. To ensure a successful deployment, the management team must hold all members accountable for their timely deliverables.

- Continuous testing, re-evaluation of disaster
recovery plan
Regular testing of your DR plan is critical to ensure it will be properly executed and meet your business recovery objectives. In light of an ever-changing business environment, it is important to periodically re-evaluate your current plan to uncover new gaps and vulnerabilities. By repeating all steps (assessment, analysis, architect, implementation and testing) on a regular basis, you can reduce your risks and prevent business disruptions caused by the failure of an outdated DR plan. – By Yatish Mishra



Yatish Mishra is president and chief technology officer of RagingWire Telecommunications, Inc. RagingWire is a Sacramento, Calif.-based IT solutions provider that offers premium managed service solutions and world-class data center infrastructure to large, data-intensive enterprise companies.

To comment on this article, go to 1503-06 at www.drj.com/feedback.


«BACK to the Articles Index
©Copyright 2002 Systems Support Inc. All rights reserved. Reproduction in whole or in part in any form or medium without the express written permission of System Support Inc. is prohibited.