Like many storage managers, Ken Hutchins, director of technical services at Reston, VA-based AdvanceMed, has high hopes that 2003 is the year he'll finally get to implement a disaster recovery (DR) site. "Every year it gets approved in my budget," he says, but somewhere, somehow over the course of the year, the project gets nixed. "So far this year, it hasn't been cut."
And in light of today's legal climate, cutting funds for a DR project would be very unwise, says Polly Nelson, legal counsel with CNT, a maker of storage networking equipment that also provides disaster recovery and business continuity planning services.
That's because with today's increased focus on corporate accountability, it's increasingly likely that corporate officers who fail to implement an adequate disaster recovery and business continuity (BC) plan may be held personally liable for losses incurred from an outage.
In the past, company officers enjoyed a waiver of liability, Nelson says, but recently the courts have found a way around that waiver. Furthermore, Nelson believes that it's just a matter of time before laws such as the Prudent Man Rule and the Foreign Corrupt Practices Act are used to prosecute inadequate DR and BC plans.
"The threat has always been theoretically there," Nelson says, but it's much more real today.
Or is it? To date, there's been no legal test of this idea, says Jon Toigo, an independent consultant focusing on disaster recovery. And "as long as there hasn't been a legal test, it's not going to be of real concern - you're not going to convince someone who isn't inclined to spend money on DR with some hazy, amorphous threat of legal mumbo jumbo."
Nor are we going to see these lawsuits any time soon, Toigo says. "We have a Republican administration and we're in a depression. The only enforcement efforts I can imagine would probably be around national security - you're with the Al Qaeda terrorists because you're not carpooling ... or something."
So for the time being, the impetus to spend money on disaster recovery remains what it always has been: good corporate stewardship, not threat of legal action. "Vendors have been raising these specters for a long time in an effort to cajole senior executives in to spending money," Toigo says.
However, Nelson adds that liability isn't just related to corporations and officers, but also to individuals and companies that develop disaster recovery plans - her company included. "There have been cases where the courts have found computer specialists guilty of professional negligence for failure to act reasonably in light of special knowledge, skills and abilities," she says.
Whatever the case, American corporate officers' awareness of liability for ensuring DR is minimal, says Don Beeler, president and CEO of NSI Software, a maker of asynchronous data mirroring software. He adds that in the United Kingdom, officers' exposure is much higher, and is fueling sales of NSI's DoubleTake product through its European resellers. Strict legal requirements across the pond may very well fuel awareness state-side, Beeler says.
For organizations that choose to heed this warning, Beeler says there is a bright side: The cost of doing DR has dropped dramatically over the past couple of years. "When I tell people how much DoubleTake [NSI's product] costs, they look at me and ask, 'That's all?'"
And for those that don't? DR's relatively low cost of doing DR might actually be held against you. "The cost has come down so much, it almost makes it look worse if you didn't do it," Beeler says.