Backup Encryption Should Not Be Avoided

By | August 20, 2006

One thing became glaringly clear to organizations in 2005—storage security must be improved in order to avoid the public relations and logistical nightmares that have surprised both consumers and corporate chief information officers. Recent events are enough to keep storage and backup professionals up at night.

One well known, large organization lost computer backup tapes with personal information on current and former employees because an outside data storage company misplaced them. In another similar instance, a large financial services organization lost several backup tapes, with records detailing the financial information of government employees, because an overnight shipping company lost their tapes.

In fact, just a few days before the end of the year, we had one last incident of stolen, unencrypted backup tapes. All of these incidents caused companies to lose millions of dollars. They have driven home the imperative for more effective storage security practices, especially as it relates to backup tapes that leave or reside outside corporate data centers.

The heightened scrutiny and concern over corporate losses of consumer data stems from a dramatic rise in consumer identity theft. Between 2002 and 2004 the number of reported cases of identity theft rose by 52%. Online security breaches, server attacks, and theft or loss of computers or media with sensitive data have been some of the ways that personal and corporate information end up in the wrong hands. Laws such as the California Information Practice Act (Senate Bill 1386) have called more attention to the problem and increased consumer awareness surrounding identity theft and personal data protection. The California law requires organizations that maintain personal information about California residents to inform those individuals if the security of their personal information has been compromised. The Act stipulates that a company must notify California residents of a known or possible breach of security, of any system or media, that would result in the acquisition of unencrypted personal information by an unauthorized person . No laws existed prior to this one that required corporate disclosure for such incidents. The large population of California and its role in the national economy gives this state law the teeth of a federal law. As a result, companies based across the country have been required to report breaches because they involved Californian residents. The increased disclosure of privacy and security breaches has increased awareness about the frequency of incidents and more importantly the lack of laws or consistent procedures to safeguard both corporate and citizen information. The number of incidents this year have spurned the proposal of new laws, similar to the Californian one enacted in 2002, at both the state and federal level.

Unencrypted backup tapes stick out as a major and largely unaddressed vulnerability for many companies. Today, a single backup tape can easily hold millions of records. Native capacity of backup tapes can range from 40-500 GB. Because of its high density, a single lost tape can compromise more personal information than many of this year’s online break-ins. In the case of one financial services organization, a small number of misplaced backup tapes contained information on a reported 1.2 million accounts, significantly more compromised information when compared to recent online breaches. A closer look the details of security breaches in 2005 reveals that the largest volume of people (not incidents) comes from misplaced or stolen backup tapes, not online security breaches.

Leave a Reply