If you were living under a rock last month, you might have missed the 20-hour service outage that unexpectedly impacted Salesforce.com on May 10th. The interruption caught many customers and the industry by surprise, triggering a social media firestorm and causing the company’s CEO to take to social media to apologize. The most concerning aspect of the disruption, though, was the announcement that (in the company’s own words):
This resulted in a window between 2:53 a.m. and 6:29 a.m. PDT on May 10, 2016 where data written to [the affected server] was not applied to the instance.
“Not applied.” Or in other words, any Salesforce CRM data you may have created or changed in that window is gone.
The missing data has since been recovered, but you can imagine the chilling effect this statement must have had on customers at the time. The irony is that Salesforce is rated as the industry’s #1 CRM tool and serves as the central ‘source of truth’ for business data for more than 150,000 sales teams and their organizations. The service is by its nature designed for global availability and redundancy—a true SaaS-based company. As such, management probably did everything in its power to avoid data loss, and having to report a significant or catastrophic one to its customer base.
Yet, it still happened.
The frightening reality, and lesson for all of us, is that SaaS applications and services can experience data loss—even the biggest of players like Salesforce.
Aside from the loss of productivity and revenue experienced by impacted customers, this particular outage required the rebuilding of lost data. Thankfully, in this case it was not the end of a quarter and the window of time was relatively narrow. But while Salesforce and its customers are recovering, now is the time to think more deeply about your organization’s Salesforce data protection policy, and how to ensure you are prepared for any eventuality. Of course, these questions apply not only to Salesforce, but generally to other SaaS-based tools such as Office 365, Box, and Google Apps.
Here, then, are five questions to guide you in developing a comprehensive plan for protecting your critical Salesforce data:
Salesforce Help states, “Although Salesforce does maintain backup data and can recover it, it’s important to regularly backup your data locally so that you have the ability restore it to avoid relying on Salesforce backups to recover your data.”
In the event of an accidental deletion case, for example, with no local backup in place, restoring your data would require using a slow, costly data recovery service. According to Salesforce, “The price for this service is a flat rate of $US 10,000,” and “The process … usually takes a minimum of 20 business days (4 calendar weeks).”
Can you afford to wait four weeks to recover your CRM data? For many organizations, these expenses, in terms of both time and money, are simply unacceptable. Clearly, an ounce of prevention is better than a pound of cure.
Threats to the integrity of your Salesforce data can come from any direction. The service itself may be operating normally, but that does not mean that errors cannot be introduced. Areas of concern include:
The only way to recover from these errors is to have a recent backup of your data as a fallback. This backup should be capable of being restored quickly, ensuring a minimum of disruption to your business.
In 2014, 34 percent of companies faced at least one lawsuit with more than $20 million at issue. Clearly, the threat of litigation and demands for eDiscovery are a very real concern for companies of all sizes.
As more companies adopt SaaS-based tools in their day-to-day business operations, courts are increasingly demanding production of cloud data as evidence in legal proceedings. And “we couldn’t find it” is not an acceptable excuse.
For example, in Brown v Tellermate, an Ohio federal court faulted Tellermate for failing to preserve relevant Salesforce information despite receiving a litigation hold letter. The judge noted that Tellermate’s lack of preservation was “almost inexplicable,” and concluded:
The failure to preserve the integrity of the salesforce.com information is just a different side of the same coin as the failure to produce it. Both shortcomings were premised on the basic inability to appreciate whose information it was and who controlled it.
It should be obvious that organizations have a responsibility to be proactive in maintaining and preserving their CRM data and ensuring that it can be made available for eDiscovery at any time.
Among the often-cited Federal Rules of Civil Procedure Rules, rule number 34 drives ESI requirements to preserve data from a legal standpoint. In December 2015, there were further amendments in rule 37(e) introducing more specific language regarding how U.S. District courts should act in the event of the failure to preserve data. It’s clear to see that laws are becoming stricter on the handling of ESI and less forgiving of the failure to preserve data.
Organizations today are subject to many regulatory and compliance data handling requirements, which generally involve the safeguarding of sensitive customer information. CRM data, by definition, includes personally-identifiable information (PII) such as names, addresses, purchasing habits, and so on. It is vital, then, that you have a comprehensive data management strategy in place, given that:
SaaS-based tools such as Salesforce have proven themselves to be a real boon for companies, allowing them to consolidate and centralize their CRM data, making it accessible to their teams in any location, at any time. Granular analysis of this data can be performed, empowering them to better manage their relationships with current customers and better identify potential future customers.
But (you knew there would be a “but,” didn’t you?) too little consideration is often given to the what would happen if this data were suddenly not available. Salesforce could end up compensating its customers to the tune of $20M for last month’s outage. What would be the potential impact to your organization if your Salesforce data protection policy had not factored the above aspects?
What Is the Answer?
As we have seen, you cannot rely solely on Salesforce or other service providers to safeguard your critical CRM data. The risks posed by outages, data loss, and potential litigation are too great. For true peace of mind, you need to have your own backup plan in place; one that regularly backs up your data and stores it locally to satisfy your specific data protection and retention needs.
A solution that can automate your Salesforce data protection policy should address both availability and governance requirements by providing:
Druva inSync is the industry’s best data protection solution and is rated #1 by leading industry analysts. inSync integrates seamlessly with leading SaaS-based tools to provide automated, trouble-free backup of your vital data, plus indefinite storage for meeting regulatory compliance and corporate governance requirements.
inSync currently protects and governs cloud app data residing in Office 365, Box and Google Apps. Support for Salesforce is currently in beta with production planned for end of summer.
For more information on how to address data risks in environments characterized by increasingly distributed data, download the free white paper today.