All of an organisation’s records should be secure, whether in hard copy or digital format.
It is certainly more obvious and tangible when securing hard copy. You have robust, lockable filing cabinets, secure filing rooms, possibly camera surveillance, passkey access, fire-proofing all things you can see and touch.
Securing digital records isn’t so obvious, it is a bit like an iceberg, you can only see a percentage of the security, the rest is invisible. Again there is the bricks and mortar to house computing equipment and the surveillance infrastructure but then there is VPN, there are firewalls, multiple synchronized servers, data encryption, the need for IDs and passwords to gain access to data and your security strategy can include all or a combination of these. And it is all designed to limit unwanted attempts to gain access to the data both physical and via the internet.
Data encryption is possibly the most important factor in securing your data and it should be the subject of much discussion between you and your storage provider.
The location of your stored records is also a high priority. There are storage providers who have servers located in multiple locations, including overseas, and there are countries whose privacy laws aren’t as stringent as others. In Australia there are also mandatory data breach reporting requirements, making it an offence for a provider not to disclose a breach of security. This is not the case in many other jurisdictions.
Where an organisation holds not only records pertinent to its operations, but also personal data of both staff and clients, it is even more critical to ensure privacy is the highest priority. Today, the protection of privacy is top of anyone’s list when they are functioning in a digital world.
Legal firms, medical facilities, financial institutions and government departments are organisations who are most likely to hold sensitive information regarding individuals and would be prime targets for hackers with malicious motives.
Identity theft, something we hadn’t really heard of even twenty years ago (though the phrase was coined in the 1960’s (prior to “cyber-crime”) when it was based on paper information), can now be far more intrusive, less obvious when it is occurring, and have very serious consequences.
Business continuity is also high on the agenda when considering web based storage of digital records. If you could not gain access to your records due to a problem with your provider, how can you continue to operate? A viable provider with a solid reputation for maintaining 24/7/365 is the only option.
Doing a thorough investigation of a provider’s capabilities, facilities, infrastructure and the software and systems they use is just doing your due diligence and it is your right. Not doing it is ignoring your duty of care to those who trust you to protect their privacy.
The National Archives of Australia has produced a checklist to be considered when choosing web based storage, it can be found at http://www.naa.gov.au/records-management/publications/cloud-checklist.aspx and can be downloaded as a PDF. While it was developed for government agencies, it can be the basis for any organisation’s evaluation purposes.