This article can also be found in the Premium Editorial Download "Information Security magazine: Tips for navigating the maze of global security regulations."
Download it now to read this article plus other related content.
Unencrypted data at rest is data at peril.
Since Bank of America disclosed in 2005 that it lost a backup tape with customers' personal data, nearly 30 other companies have reported similar embarrassing mishaps. The list of organizations losing tapes with sensitive personal information includes many high-profile names: Ameritrade, Time Warner, CitiFinancial, ABN Amro Mortgage Group, People's Bank, Con Edison, the U.S. Department of Veterans Affairs and Chase Card Services. The breaches affected millions of people, resulted in millions of dollars in direct costs, and even more in indirect costs.
Direct costs include notifying customers of the breach, estimated at $5 to $10 per person, and the expenses associated with controlling damage to the brand, such as advertising in national newspapers. Indirect costs stem from damage to the brand. A loss of trust can easily cause some customers to depart, or potential customers to choose another company to do business with; either way, it's lost revenue.
The key to your organization avoiding this fate is encryption, as all unencrypted backup tapes are readable by determined cybercriminals, no matter what your vendor tells you. Some vendors claim that their backup format is proprietary and can't be read without their database and software--don't believe them. Backup formats are irrelevant to laws such as California's SB 1386; if you lose control of unencrypted personal information, you must notify
It's a clear business case for encrypting tapes that are going to leave a company's physical location. It could save your organization millions of dollars if a tape is lost, and will ensure that any damage to your brand is minimal.
This was first published in February 2007