Have you heard the one about how Toy Story 2 was accidentally deleted before release, and almost lost for good? Only by pure miracle was the film saved. In this blog post, I look at:
-Some of the data protection rules (including personal data laws and discovery rules) that require protection of data and files;
-How to ensure that your disaster recovery policies and procedures line-up with legal obligations.
The year is 1998, 150 Pixar staff are working on Toy Story 2…
The team were working in a Unix network environment with very broad file permissions – basically any staff could access any file at any time. It was intentionally set up in this way to aid efficiency on the project. One day, a staff member executed the infamous ‘rm -r -f *’ command: In essence, a command for the system to delete every directory lower than the current directory. This was intended to be executed on a specific directory to get rid of unneeded files. Unfortunately, it seems the command was mistakenly applied to the ‘root’ directory: Every file in the system was being deleted systematically.
By the time the mistake was caught, 90 percent of the film’s working product was gone.
So, what next? Go to the back-up tapes, you say? Unfortunately, mistakes were made there too – the backup tapes were not being regularly tested and the ongoing work product had not been saved.
Miraculously, the film was saved by one of the workers who had taken home a copy to work from while at home caring for her newborn son.
There are some industries which have strict rules about the storing of data. This includes government departments, hospitals, and banks. For other businesses, data protection obligations only kick in at certain points: Such as where they hold personal data (data that identifies people), and when legal action is looming (i.e., discovery awaits). It is this last point I want to focus on.
The rule, developed by the Courts as part of the principle of ‘spoliation’, is that evidence should be preserved in anticipation of litigation: Either where the individual actually anticipated it, or a reasonable person would have. The origin of this duty goes right back to 1772 in Armory v. Delamirie.
Where a formal ‘legal hold’ notice has been received by a company it will be clear that they need to protect data in anticipation of litigation. In other cases, it won’t be so clear.
In order to ensure compliance with all relevant data protection laws, it is crucial that all organizations have in place a framework for securing the files and assets of the company. To protect against ‘Toy Story 2’ incidents it is particularly crucial to have robust data back-up, destruction and disaster recovery policies covering:
-How and where all organizational data is to be backed-up;
-When it may be destroyed;
-Regular testing of data back-up processes;
-Who is responsible for disaster recovery.
To read more on general information governance processes see The Importance of a Solid Information Governance Framework.
All organizations need to have robust information governance and data protection policies in place. Both to protect their business from a ‘Toy Story 2’ event, and to ensure that all data is protected in anticipation of litigation, and in accordance with other data protection laws.