Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."

Download it now to read this article plus other related content.

Unencrypted data at rest is data at peril.


Since Bank of America disclosed in 2005 that it lost a backup tape with customers' personal data, nearly 30 other companies have reported similar embarrassing mishaps. The list of organizations losing tapes with sensitive personal information includes many high-profile names: Ameritrade, Time Warner, CitiFinancial, ABN Amro Mortgage Group, People's Bank, Con Edison, the U.S. Department of Veterans Affairs and Chase Card Services. The breaches affected millions of people, resulted in millions of dollars in direct costs, and even more in indirect costs.

Direct costs include notifying customers of the breach, estimated at $5 to $10 per person, and the expenses associated with controlling damage to the brand, such as advertising in national newspapers. Indirect costs stem from damage to the brand. A loss of trust can easily cause some customers to depart, or potential customers to choose another company to do business with; either way, it's lost revenue.

The key to your organization avoiding this fate is encryption, as all unencrypted backup tapes are readable by determined cybercriminals, no matter what your vendor tells you. Some vendors claim that their backup format is proprietary and can't be read without their database and software--don't believe them. Backup formats are irrelevant to laws such as California's SB 1386; if you lose control of unencrypted personal information, you must notify

    Requires Free Membership to View

the affected customers. If you can't notify them in a reasonable timeframe, you must contact the media. Several states have similar breach notification laws. As of the end of last year, these laws only apply to unencrypted data. You are not required to notify anyone if the data was encrypted.

It's a clear business case for encrypting tapes that are going to leave a company's physical location. It could save your organization millions of dollars if a tape is lost, and will ensure that any damage to your brand is minimal.

This was first published in February 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: