According to the Identity Theft Resource Center, 39 data breaches have been reported by U.S. financial institutions in 2010 (as of August 10). The causes range from the expected “insider theft” and “skimming” to the peculiar “accidental breaches” (does this insinuate that the others were on purpose?). But the most common cause is “stolen or missing hardware,” which accounted for about one in six of these data breaches.
For example, a backup hard drive containing sensitive information of Wachovia Bank customers was stolen from a law office in Irvine, Calif. in June 2009. The breach was reported to the Maryland Attorney General’s office in March 2010 and listed 953 compromised records in that state, but the nationwide figure was not disclosed. Also, in February 2010, Proxima Alfa Investments (now in liquidation) reported to the New Hampshire Attorney General’s office that an unspecified number of backup tapes were missing from the firm’s New York office. The theft was discovered in November 2009 and an undetermined number of customers’ personal data was exposed.
These two incidents—and the countless others involving missing storage media—reiterate the need for storage-level encryption as a proactive, best-practices process for data protection. The loss of unencrypted data on backup media often requires organizations to make the incident public to comply with industry and government regulations. Typically, there are also significant costs associated with reporting the breach, including fines, legal action, lost business and the subsequent cost of remediation. Encrypting all backup devices could preclude this situation by providing safe harbor, reducing an organization’s liability.
Yet some companies remain hesitant to encrypt information stored on backup tapes, despite the fact that the cost of deploying encryption is far less than the aggregate costs of dealing with a data breach. The primary cause for this uncertainty is the perceived challenges of key management—a storage manager is far more likely to lose his job if he mishandles the keys and data cannot be recovered than he would if tapes go missing.
Fortunately, new technologies and processes are being developed to cost-effectively automate and simplify the key management process, enabling storage administrators to confidently deploy encryption and ensure that encrypted backup tapes can be readily accessed when needed.
So as other financial institutions join Proxima Alfa Investments and Wachovia on the growing list of firms suffering data breaches via lost or stolen backup media, it is advisable and increasingly practical for IT managers to take a broad-brush approach to storage-level encryption and establish it as a default layer of protection. With the right key management technologies and processes in place, storage managers can remain in full control and often avoid the burden of disclosing the breach and ensuring that data is protected at all times.