Why Backup is a Requirement for Authenticity
The Critical Role of Backup in Maintaining Authenticity
In the context of the Electronic Bookkeeping Preservation Act (e-Bunsho Hozon-hō) in Japan and various compliance requirements worldwide, the term “authenticity” is becoming increasingly prevalent. Simply put, authenticity refers to the property that “records are accurate and can be proven to have not been tampered with.” When most people think of authenticity requirements, they typically envision “timestamps” or “digital signatures.” However, “backup” is equally an indispensable implementation measure for maintaining authenticity. Why is backup so deeply connected to authenticity? This article provides a clear explanation of this seemingly curious relationship.
What is Authenticity: A Fundamental Understanding
Three Aspects of Authenticity
To understand authenticity, it is essential to grasp the following three dimensions:
Proof of Creation Time
The ability to prove “when” a document or record was created. This demonstrates that the record was not backdated or created retroactively.
Assurance of Integrity
The ability to prove that a record has not been altered or deleted after its creation. This refers to the state in which the original data is preserved without corruption.
Continuous Preservation
The maintenance of records not just temporarily, but throughout the required retention period. This requirement becomes critically important when legal retention periods must be satisfied.
Why Authenticity is Required
In business operations, transaction records and audit trails serve as crucial evidence during tax audits and legal disputes. If records have been tampered with or if inconvenient portions have been selectively deleted, those records lose their value as evidence. Authenticity requirements exist to prevent such situations and to guarantee the reliability of records.
According to international data integrity guidance from regulatory bodies such as the FDA (U.S. Food and Drug Administration), MHRA (UK Medicines and Healthcare products Regulatory Agency), and PIC/S (Pharmaceutical Inspection Co-operation Scheme), authenticity is often articulated through the ALCOA+ principles: Attributable, Legible, Contemporaneous, Original, Accurate, plus Complete, Consistent, Enduring, and Available. These principles emphasize that records must be preserved in their original form throughout their lifecycle.
The Overlooked Risk of “Loss”
Tampering is Not the Only Problem
When most people hear the term authenticity, they associate it with “prevention of tampering.” Indeed, unauthorized alteration of data is a typical act that compromises authenticity. However, tampering is not the only threat to authenticity.
Data loss also constitutes a serious threat to authenticity.
This is because if records do not exist, it becomes impossible to prove that the work or activities were properly conducted. The following situations are particularly problematic:
Loss Due to Disaster
Cases where servers or storage devices are physically destroyed by fire, earthquake, flooding, or other disasters, resulting in data loss. The 2011 Great East Japan Earthquake saw many companies lose critical records due to data center damage. More recently, the 2024 Noto Peninsula Earthquake in Japan and various flooding events worldwide have reinforced the importance of geographically distributed backup strategies.
Loss Due to System Failure
Cases where data becomes corrupted or encrypted and inaccessible due to hardware failure, software bugs, or ransomware attacks. According to Cybersecurity Ventures, global ransomware damage costs are projected to exceed $265 billion annually by 2031, with attacks occurring every 2 seconds. The healthcare and pharmaceutical industries have been particularly targeted, with notable incidents affecting hospital systems and research data.
Loss Due to Human Error
Cases where data is inadvertently lost through accidental deletion, configuration errors causing data overwrites, or other unintended actions. Studies by IBM suggest that human error accounts for approximately 23% of data breaches and security incidents.
The Irreversibility of Audit Trail Loss
A critical point here is that once lost, audit trails can never be restored.
For example, suppose transaction records from three years ago are lost due to a disaster. The invoices and contracts related to those transactions might still exist in paper form. However, electronic audit trails such as system processing logs, approval histories, and change histories cannot be reconstructed once lost from the original system.
Some might think, “Can’t we just recreate them later?” However, that very act compromises authenticity. Records created retroactively do not carry the timestamp of the original creation time, raising doubts about “whether the records truly existed at that point in time.” In tax audits or legal disputes, such records are highly unlikely to be recognized as valid evidence.
This principle aligns with regulatory expectations outlined in FDA 21 CFR Part 11 (Electronic Records; Electronic Signatures), which requires that electronic records must be maintained with metadata including the date and time of record creation, and that audit trails must capture changes without obscuring the original entry.
Why Backup is Essential for Maintaining Authenticity
An Implementation Measure for Continuous Preservation
From the discussion thus far, it becomes evident that backup is indispensable for realizing the third aspect of authenticity: “continuous preservation.”
Backup is a mechanism that maintains records in a recoverable state even in the event of disasters or system failures. In other words, having backups ensures the following:
Continuity of Records
The ability to demonstrate that records exist continuously from the past to the present without interruption.
Maintenance of Immutability
When original records are lost, proof of their integrity is also lost. With backups, it becomes possible to verify the presence or absence of tampering by comparing against the original records.
Compliance with Legal Retention Periods
Many laws and regulations mandate the preservation of records for specific periods. Without backups, reliable fulfillment of this obligation becomes impossible. For example, Japan’s Electronic Bookkeeping Preservation Act requires retention for up to seven years (or ten years in certain cases), while the U.S. Sarbanes-Oxley Act mandates retention of audit records for seven years.
Implementation Requirements for Maintaining Authenticity
In various regulations including the Electronic Bookkeeping Preservation Act, as well as international data integrity guidance from organizations such as the FDA, MHRA, and PIC/S, backup is mandated in the following forms:
Ensuring Availability
Maintaining systems in constant operation and ensuring that records are accessible when needed. Backup functions as an alternative when the primary system fails. This concept is fundamental to the “Available” principle in ALCOA+.
Disaster Recovery (BCP)
As part of business continuity planning, critical data must be backed up to remote locations. This prevents data loss even in localized disasters. ISO 22301 (Business Continuity Management Systems) provides an international standard framework for establishing such capabilities.
Audit Readiness
When auditors verify historical records, a system must be in place to allow examination of data restored from backups. The FDA’s guidance on data integrity emphasizes that backup and recovery procedures must be validated and tested regularly.
Additionally, under the EU’s General Data Protection Regulation (GDPR) Article 32, organizations must implement “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,” further emphasizing backup as a security and compliance requirement.
Appropriate Backup Strategies in Practice
Fundamental Principles of Backup
Effective backups that ensure authenticity adhere to several important principles:
The 3-2-1 Rule
Create three copies of data, store them on two different types of media, and keep one copy in a remote location. Following this principle enhances resilience against multiple simultaneous failures. More recently, the “3-2-1-1-0 rule” has gained traction, adding: one copy should be offline or air-gapped (immutable), and zero errors should be found during recovery verification.
Regular Execution
Backup is not a one-time task. As new transactions and records are generated daily, backups must be executed regularly. Typically, schedules are set according to data criticality and update frequency, such as daily, weekly, or monthly intervals. For mission-critical systems in regulated industries, continuous data protection (CDP) or near-continuous replication may be necessary.
Conducting Restoration Tests
To confirm that backups are functioning properly, it is essential to conduct regular restoration tests. Even if backups are being taken, they are meaningless if they cannot be restored when needed. Industry best practices recommend testing at least quarterly, with full disaster recovery drills conducted annually. The restoration test results themselves should be documented as part of the quality management system.
Integration of Backup and Timestamps
While backup alone provides certain benefits, combining it with timestamps dramatically enhances the evidentiary power of authenticity.
For example, the following operational approach can be considered:
Apply a timestamp at the moment a transaction record is created; periodically back up the entire database containing that record; apply a timestamp to the backup data as well.
This method clarifies “when the record was created” and “when the backup was taken,” objectively proving that there has been no tampering or retroactive creation. Qualified timestamps from trusted time-stamping authorities (TSAs) that comply with RFC 3161 or eIDAS (Electronic Identification, Authentication and Trust Services) regulations provide legally recognized proof of existence at a specific point in time.
Backup Strategies in the Cloud Era
In recent years, many companies have adopted cloud services. Backup in cloud environments involves considerations different from traditional approaches:
Scope of Cloud Provider Responsibility
In most cloud services, providers guarantee infrastructure availability, but data backup is generally the responsibility of the user. However, this varies depending on the contract, so it is essential to thoroughly confirm the scope of responsibility before using a service and, if necessary, utilize additional backup services. This is commonly articulated through the “Shared Responsibility Model,” where cloud providers are responsible for “security of the cloud” while customers are responsible for “security in the cloud.”
Major cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) offer various backup solutions, including automated snapshot services, cross-region replication, and third-party backup integration. However, organizations must actively configure and manage these features—they are typically not enabled by default.
Multi-Region Configuration
Leveraging cloud advantages, disaster risk can be mitigated by distributing data across multiple geographically distant data centers (regions). For example, AWS offers 33 geographic regions globally as of 2025, allowing customers to implement cross-region backup and replication strategies. This approach aligns with the international standard ISO/IEC 27031 for ICT readiness for business continuity.
Immutable Backup Storage
An emerging best practice in cloud backup strategies is the use of immutable or write-once-read-many (WORM) storage. This technology ensures that backed-up data cannot be modified or deleted for a specified retention period, providing protection against ransomware attacks and insider threats. Services like AWS S3 Object Lock, Azure Immutable Blob Storage, and GCP Bucket Lock offer such capabilities.
Future Outlook
Response to Regulatory Strengthening
There is a global trend toward strengthening data governance regulations. More stringent requirements may also be imposed on backup practices:
Audit Trails for Backup Operations
The execution history and restoration history of backups themselves may increasingly be required as audit trails. A system that records when, who, and what data was backed up or restored will become necessary. This aligns with the emerging concept of “security information and event management” (SIEM) in cloud environments.
Regulatory Convergence
Various jurisdictions are harmonizing their data integrity and record-keeping requirements. For instance, the International Council for Harmonisation (ICH) has published ICH Q7 (Good Manufacturing Practice Guide for Active Pharmaceutical Ingredients) and ICH E6(R2) (Good Clinical Practice), both emphasizing data integrity and backup requirements. Organizations operating globally must navigate these converging standards.
Artificial Intelligence and Automation
The integration of AI and machine learning in backup management is becoming more prevalent. Predictive analytics can anticipate system failures, optimize backup schedules based on data change patterns, and automate restoration processes. However, these technologies must themselves be validated and documented to meet regulatory requirements.
Emerging Technologies and Standards
Blockchain for Backup Verification
Some organizations are exploring blockchain technology to create immutable logs of backup operations, providing an additional layer of verification for authenticity and compliance.
Zero Trust Architecture
The adoption of zero trust security models impacts backup strategies by requiring continuous verification of access rights and encryption of data both in transit and at rest, including backup copies.
Conclusion
The reason backup is indispensable for maintaining authenticity is that it realizes the fundamental aspect of authenticity: “continuous preservation of records.” If audit trails are lost due to disasters or system failures, they can never be restored. Preventing not only tampering but also loss is an essential element in ensuring authenticity.
Backup should not be viewed merely as a means of data protection but positioned as a critical implementation requirement for maintaining authenticity. Establishing appropriate systems is becoming an essential initiative for companies to survive in the coming era. While backup methods continue to advance with technological evolution, we must not forget the underlying purpose: “to protect and prove records.”
What is crucial is not only to regard backup as “insurance for emergencies” but to establish it as an integral part of daily compliance activities within the organization. By recognizing the value of backup from the perspective of authenticity and realizing a more reliable record management system, companies can build a foundation of trust that will serve as the key to becoming a trusted enterprise in the future.
Key Compliance Frameworks and Their Backup Requirements
| Regulation/Standard | Jurisdiction | Primary Backup Requirement | Retention Period |
| Electronic Bookkeeping Preservation Act | Japan | Periodic backup with disaster recovery capability | 7-10 years |
| FDA 21 CFR Part 11 | United States | Validated backup and recovery procedures with audit trails | Varies by record type |
| GDPR Article 32 | European Union | Ability to restore data availability in timely manner | As required by data processing purpose |
| ISO 22301 | International | Business continuity management including backup strategies | Defined by organization |
| SOX Act (Section 802) | United States | Retention of audit records including backup copies | 7 years |
| MHRA GXP Data Integrity | United Kingdom | Regular backup with tested restoration procedures | Varies by product lifecycle |
| PIC/S PI 041-1 | International | Secure, regular backup with recovery testing | As per local requirements |
This comprehensive approach to backup as an authenticity requirement reflects the evolving understanding that data integrity encompasses not only preventing unauthorized changes but also ensuring the continuous availability and recoverability of critical records throughout their required lifecycle.
Comment