I’ve been getting a slow stream of calls from CIOs caught in the same bind. The CIO’s firm is involved in some kind of litigation. E-discovery has been underway, and somebody has found a shelf or box full of dusty old backup tapes. Somebody responsible for servers, databases, or operations had preserved these as insurance in case of unspecified problems. (No doubt based on bitter experience recovering from one of the common causes of data disruption.) Now the attorneys are calling for an inventory of exactly what is on the tapes, with expectations that MIS will eventually be instructed to produce some of the actual records on the tapes.
The CIO is caught in a bind, because a court may generally expect that producing records from a tape is similar to producing papers from a file. However, the CIO’s shop will likely no longer have the right hardware or software for reading the tapes, or the right software for recreating the information from the stream of bytes on the tape. There can be a long technical journey between having some random tapes full of data in backup format, and reproducing an e-mail or a database query from 1992.
Every system administrator knows (and can be summoned to testify in court) that good system administrators will keep a private collection of backups in readiness for the day when a heroic system recovery will be required. Likewise, every database administrator knows (and can likewise testify) that good database administrators will keep a private collection of backups in readiness for that day when a heroic database recovery will be required. (Once while implementing a new backup solution, a DBA told me that he didn’t care if we took hot, cold, daily, weekly, full, or incremental backups of his database. In a real recovery situation, he planned to restore his database from a private backup on a flashdrive in his desk.) An experienced CIO could be expected to know that these private backup collections exist. To the sysadmins and DBAs, they are a bulwark against Murphy’s Laws. To opposing counsel, they can be treasures from Alladin’s secret cave. To corporate counsel, they are a liability, and to CIOs they are a possible future migraine.
This may be the time for a prudent CIO to establish policies on authorized and unauthorized data repositories, and policies on purging media when applications, systems, or staff are retired, replaced, or re-purposed.
Which is scarier to a CIO: an outsourced sysadmin leaving and taking his private collection of backups with him? Or a sysadmin departing and leaving his private collection of backups on a back shelf to be discovered a year or two later?
(Image courtesy pixel2013 at Pixabay.)