Off-site data protection

In computing, off-site data protection, or vaulting, is the strategy of sending critical data out of the main location (off the main site) as part of a disaster recovery plan. Data is usually transported off-site using removable storage media such as magnetic tape or optical storage. Data can also be sent electronically via a remote backup service, which is known as electronic vaulting or e-vaulting. Sending backups off-site ensures systems and servers can be reloaded with the latest data in the event of a disaster, accidental error, or system crash. Sending backups off-site also ensures that there is a copy of pertinent data that is not stored on-site.

Although some organizations manage and store their own off-site backups, many choose to have their backups managed and stored by third parties who specialize in the commercial protection of off-site data.

Data vaults
The storage of off-site data is also known as vaulting, as backups are stored in purpose-built vaults. There are no generally recognized standards for the type of structure which constitutes a vault. That said, commercial vaults typically fit into three categories:
 * Underground vaults – often converted defunct cold war military or communications facilities, or even disused mines.
 * Free-standing dedicated vaults
 * Insulated chambers sharing facilities – often implemented within existing record center buildings.

Hybrid on site and off-site vaulting
Hybrid on-site and off-site data vaulting, sometimes known as Hybrid Online Backup, involve a combination of Local backup for fast backup and restore, along with Off-site backup for protection against local disasters. This ensures that the most recent data is available locally in the event of need for recovery, while archived data that is needed much less often is stored in the cloud.

Hybrid Online Backup works by storing data to local disk so that the backup can be captured at high speed, and then either the backup software or a D2D2C (Disk to Disk to Cloud) appliance encrypts and transmits data to a service provider. Recent backups are retained locally, to speed data recovery operations. There are a number of cloud storage appliances on the market that can be used as a backup target, including appliances from CTERA Networks, Nasuni, StorSimple and TwinStrata.

Statutory obligations
Data Protection Statutes are usually non-prescriptive within the commercial IT arena in how data is to be protected, but they increasingly require the active protection of data. United States Federal entities have specific requirements as defined by the U.S. National Institute of Standards and Technology (NIST). NIST documentation can be obtained at http://csrc.nist.gov/publications/PubsSPs.html and commercial agencies have the option of using these documents for compliance requirements.
 * History – today's regulatory requirements started with the "Rainbow" Series. Every organization has used these standards to develop "their" version of compliance – don't get wrapped around the NIC on compliance – use "Due Care" and apply "Due Diligence" and base your infrastructure using "SECURITY" as the foundation.

Statutes which mandate the protection of data are:
 * Federal Information Systems Management Act (FISMA) – US
 * GAO Federal Information System Controls Audit Manual (FISCAM) – US
 * Health Insurance Portability and Accountability Act (HIPAA) – US
 * Sarbanes–Oxley (SOX) – US
 * Basel II – International – US
 * Gramm-Leach-Bliley (GLBA) – US
 * Data Protection Act 1998 – UK
 * Foreign Corrupt Practices Act ("FCPA") – US

Legal precedents

 * Thomas F. LINNEN, et al. v. A.H. ROBINS COMPANY, INC., et als, (Mass. Super. Court, No. 97-2307).
 * Linnen v. Robins, 1999 WL 462015, 10 Mass. L.Rptr. 189 (Mass Super. Court, 1999).
 * FJS Electronics v. Fidelity Bank
 * Zubulake v. UBS Warburg
 * Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., 2005 Extra LEXIS 94 (Fla. Cir. Ct. 23 Mar. 2005).