No discussion of disaster recovery (DR) and compliance issues would be complete without looking at the Sarbanes-Oxley Act of 2002 (SOX). Originally designed to help avoid the irregular accounting situations made famous by companies like Enron, SOX was passed in 2002 to outline strict guidelines for financial reporting and disclosure for all public companies in the United States. The passage of this act affects much more than your financial reporting, however.
Primarily, SOX details what must be reported from a financial view of your corporation, and when those reports must be made. It also details guidelines for internal compliance operations to ensure that these reports can be created on time and accurately. The SOX requirements have serious implications for your DR planning.
What SOX says
SOX clearly states a harsh set of fines and other punishments for failure to comply with the law; however, it doesn't offer any leeway when it comes to being unable to meet your requirements due to a disaster or other data-loss event. You must be able to file your reports and have the data to back them up, no matter what else may be going on in the organization or its data center. While I'm fairly sure massive disasters like the hurricanes in the Gulf Coast region would mitigate some of the punishments due to SOX violation, there is no guarantee that this would be allowed. The bottom line is that even in the case of large-scale disasters, your company could be held liable if you cannot meet the requirements of the regulations.
The section of the SOX Act (see page 45 of this PDF) that most pertains to your DR plan is Sec. 404, Management Assessment of Internal Controls. It stipulates that the organization should "state the responsibility of management for establishing and maintaining an adequate internal control structure" and "contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."
What SOX means
Much like HIPAA, SOX does not spell out specific kinds of technology that you must employ or give requirements about how often backups are made, where they should be stored, etc. All of those decisions are left up to you, but you must document the policies and procedures you put in place to safeguard your data and make sure it's available for reporting on an annual basis. Covering all the gaps could mean implementing new systems—hardware and software—that puts a sizable dent in your budget. It is this expense that's heating up the SOX debate right now. The SEC is prepared to create a huge loophole that opponents say would gut the Act and basically exempt 80 percent of all public companies from having to get their internal controls validated by an auditor.
Preparation for DR in light of SOX has two primary parts. The first is putting systems in place to completely protect all financial and other data required to meet the reporting regulations and to archive the data to meet future requests for clarification of those reports. The second is to clearly and expressly document all these procedures so that in the event of a SOX audit, the auditors clearly see that the DR plan exists and will appropriately protect the data.
On the surface, this sounds pretty straight-forward. You no doubt have already begun DR planning, and therefore are already looking to protect this data, but the complexity of the Act means that you'll need to speak with internal and possibly external counsel in order to figure out exactly which data is the most crucial. In addition, many companies are using intricate software packages to make sure they are in compliance with SOX, and therefore these new systems will need to immediately become part of your DR planning.
SOX DR planning is definitely a series of hurdles that every publicly traded company must overcome. There is little or no "wiggle room" here, as the government agencies responsible for enforcement are definitely still remembering previous debacles in accounting and will be unlikely to show any mercy to you or your DR plan if reports cannot be filed on time.