Reducing Off-site Storage Risks: What You Need to Do Now

The off-site storage industry continues to lack a common set of best practices to describe the services they provide or ways to measure service delivery.

A couple of weeks ago, Iron Mountain, a leader in the off-site storage and records management services space, received some unwanted publicity. Within a 24-hour period, not one but two of its information repositories were hit by fires. One, in Ottawa, was deemed accidental in origin. The other, in London, was arson. The popular theory is that someone burned the facility to the ground to destroy copies of a relative’s will that did not include the arsonist.

Either way, it was publicity that Iron Mountain and the rest of the records storage industry did not need. Not now—not when they are poised to make a lot money storing the entire junk drawers of data created by companies too paranoid about regulatory consequences to consider throwing anything out.

The off-site storage people have been taking it on the chin for some time now. There were fires in the past, at Iron Mountain and elsewhere, to be sure. In some cases, greed may have been at the center of the blaze: some facilities may have been torched to collect insurance—an old story.

About two years ago, with the added attention paid to information privacy by regulators and lawyers, stories began to surface with increasing regularity about missing tapes—including a highly publicized Bank of America incident in which tapes containing sensitive customer data fell off the back of the commercial offsite storage vendor’s truck. BofA had to make a public "mea culpa" to satisfy the Gramm-Leach-Bliley Act of 1999, but considerable emphasis was placed on the lack of attention demonstrated by the off-site storage company's truck driver.

There have even been incidents in which the offsite storage company was made responsible for retaining and managing the stored assets of a health-care insurer after that insurer went out of business. Under the Healthcare Information Portability and Accountability Act (HIPAA), the vendor couldn’t treat the defunct customer’s data the way a landlord treats the goods of a delinquent renter—which is to say, it couldn’t put the belongings on the street for trash collection.

In almost every instance, the root cause of these problems was never addressed. Instead, marketing mavens, both in the commercial off-site storage industry and the storage technology business, leveraged the incidents to promote new products and services.

Where are the Best Practices?

At the root of all this is the lack of a set of rigorously applied best practices across the commercial off-site storage industry. The industry has fought vigorously against the development or adoption of standards—or even quasi-standards—for delivering services to their customers. A couple of quick examples help to make the point.

A while back, the National Fire Protection Association set about revising a guideline that would force commercial storage providers to compartmentalize their facilities as a safeguard against sweeping fires. While no one is obligated to adhere to NFPA guidelines (unless they have been adopted by municipal fire codes), it is widely viewed as a marketing plus for firms to be able to wrap themselves in the NFPA flag and display conformance with NFPA guidelines in their service brochures. So, when the NFPA decides what commercial service providers should be doing with their facilities to keep consumer records safe, it causes the industry to sit up and take note.

"NFPA 232: Standard for the Protection of Records" is an evolutionary document initiated on the heels of a disaster event, the 1922 Chicago, Burlington and Quincy Railway Building fire. Since its first publication in 1947, it has gone through several iterations, but none was as contentious as the amendments (called "comments") to the 2000 edition. One in particular had to do with rules for facility compartmentalization.

When the initial proposal was approved as a comment by NFPA’s Technical Committee, many larger firms in the off-site storage business rebelled. Don’t take my word for it—the transcript of the appeal hearing is published on-line at NFPA.org . To summarize, the industry didn’t want a specification that would require it to perform expensive retrofits of their facilities—despite the fact that only a few years before the need for such improvements had been clearly demonstrated by a series of three fires over a 12-day period at Iron Mountain sites that destroyed over 1 million corporate records.

Facility standards aside, the off-site storage industry continues to lack a common set of best practices to describe the services they provide or ways to measure service delivery. Since the beginning of the decade, there has been unending debate within one of the leading industry trade groups, PRISM, over the idea of articulating a uniform set of best practices that might go a long way toward policing the more egregious issues of staffing, materials handling, transportation, and so forth.

In an e-mail message thread shared with me by a reader, the core problem is laid bare. The thread begins with a question from someone who wants to open an off-site storage facility, asking if there is a list of ‘best practices’ in vaulting. No one could point to such a list.

The Mean Season is Upon Us

Unless something is done to police the off-site storage industry, which has its fair share of both dedicated service providers and charlatans who came into possession of an old bank vault, our data will be as much at risk in off-site storage as it is sitting in the desk drawer next to the system we just backed up.

My recommendation to readers this week is to review your data protection plans. We are entering what we here in Florida call the Mean Season: the period of late summer/early fall when weather systems tend to get more active and dangerous and the hot temperatures and muggy climate stand everyone’s nerves on end. Historically, the Mean Season tends to coincide with an up-tick in disasters—large and small.

If you use an off-site storage service, mark your calendar to take a trip over the next week or two. Shadow your delivery truck when it arrives to rotate out your media. Follow the driver to see whether he stops for coffee, leaving your precious backups unsupervised and baking in the van. Then, make an impromptu visit to your storage facility—preferably during mid-week. Take a hard look at the condition of the site, the promptness of the staff, and the condition of your stored goods.

Until there is a standard set of minimum best practices that facility operators must follow, your best defense is vigilance.

Your comments—and what you discover about your off-site storage service—are welcome at jtoigo@toigopartners.com.