156 5.1 Disaster Recovery Legal Issues
By definition, the disaster recovery phase is likely to involve, to a signifi-
cant degree, external emergency services. The priority during this phase is
the safety and well-being of human life, the handling of the emergency
itself, the removal of the threat of further injury or damage, and the reestab-
lishment of external services such as power, communications, water, and so
on. A major task during this phase is also the completion of damage assess-
ment forms. In addition to the emergency services, the disaster recovery
phase may involve different personnel, depending upon the type of emer-
gency, and a disaster recovery team (DRT) should be nominated according
to the requirements of each specific crisis.
5.1 Disaster Recovery Legal Issues
Standards of care and due diligence are required of all businesses. Not hav-
ing an appropriate disaster recovery plan (DRP), which includes a reliable
backup/restore system, violates that fiduciary standard of care. Although
no specific law states that a business must have a DRP, there is a body of
legal precedent that has been used to hold companies and even individuals
responsible for the recovery of data after a disaster [1]. Legal precedent as
a result of the case of FJS Electronics v. Fidelity Bank has set the standard of
due care and diligence that corporations must now uphold. In that case,
Fidelity Bank had a data disaster that ended up costing FJS Electronics.
FJS took Fidelity to court and won. In another case, Parr v. Security Nat.
Bank [2], the decision rendered cited the actions of Fidelity in the FJS v.
Fidelity case:
Fidelity made a choice when it elected to employ a technique which
searched for stopped checks by amount alone. It evidently found bene-
fits to this technique which outweighed the risk that an item might be
inaccurately described in a stop order. This is precisely the type of
inevitable loss which was contemplated by the code drafters and
addressed by the comment above. The focus of § 4-403 is the service
which may be expected by the customer, and a customer may expect a
check to be stopped after the bank is given reasonable notice. A bank’s
decision to reduce operating costs by using a system which increases the
risk that checks as to which there is an outstanding stop payment
order will be paid invites liability when such items are paid.
5.1 Disaster Recovery Legal Issues 157
Chapter 5
The entire basis of law relating to the development of disaster recovery
plans is based on civil statutes and an interpretation of applicability to
disaster recovery planning. Liability statutes like the Foreign Corrupt Prac-
tices Act (FCPA) have been interpreted is such a way that we now hold cor-
porate managers personally liable for protecting corporate assets. The FCPA
requires corporations to “… make and keep books, records, and accounts,
which, in reasonable detail, accurately and fairly reflect the transactions and
dispositions of the assets …” The section of this Act that keeps it at the
forefront of disaster recovery liability is the “Standard of Care” wording,
whereby management can be judged on their mismanagement of corporate
assets. The FCPA is unique in that it holds corporate managers personally
liable for protecting corporate assets. Failure to comply with the FCPA
exposes individuals and companies to the following:
Personal fines up to $10,000
Corporate fines up to $1,000,000
Prison terms up to five years
The Federal Financial Institutions Examinations Council (FFIEC) [3]
has issued various circulars regarding the need for financial institutions to
implement disaster recovery plans. In 1989, a joint-agency Circular was
issued on behalf of the following member agencies:
Board of Governors of the Federal Reserve System (FRB)
Federal Deposit Insurance Corporation (FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
The Circular stated: “The loss or extended interruption of business oper-
ations, including central computing processing, end-user computing, local
area networking, and nationwide telecommunications poses substantial risk
of financial loss and could lead to failure of an institution. As a result, con-
tingency planning now requires an institution-wide emphasis . . .” FFIEC
guidelines relating to contingency planning are actually contained within
ten technology related Supervisory Policy Statements. These policies are
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
