Sponsored by NetIQ

Ask Rebecca Herold your IT compliance questions!
 Contact Rebecca Herold
 through email, the
 discussion board, or IM.
  Learn more...


Presented by Realtimepublishers
Register now to participate! Minimize
While you're welcome to browse the conversation, you'll need to log in or register to really Join the Conversation. Registration is free and takes only a few minutes, so why not sign up? Just click the "Get a Free Account" link near the top of the page. We look forward to meeting you!

The Conversation Minimize
Subject: More Lost Tapes!
You are not authorized to post a reply.

01/23/2006 6:57 PM Alert 

Well, there has been another recent incident regarding the backup tapes being lost while in transit to offsite storage.  People's Bank is notifying approximately 90,000 affected customers that a tape containing confidential data was lost recently while being transported by UPS to TransUnion, a credit reporting bureau.   People’s Bank have posted information about the incident on their site (http://www.peoples.com/about/peoples/0,8397,14098,00.html).  Several news agencies have reported on this story, including SC Magazine (http://www.scmagazine.com/uk/news/article/535840/peoples-bank-atlantis-faced-breaches/) and the Connecticut Post (http://www.connpost.com/business/ci_3394540), as well as non-U.S. publications such as Finextra in the UK (http://www.finextra.com/fullstory.asp?id=14745).  Numerous other backup tapes were lost throughout 2005, most by UPS or Iron Mountain. 

Until we had California SB 1386 we never read about these lost tapes in the news…is this really anything new?  How long have tapes with personal information been going missing without anyone being told?  Do you think any frauds have occurred as a result of any such past data losses falling into unscrupulous hands? 

I also wonder about whether or not this is prompting organizations to encrypt their backup tapes, and other storage media.  Is your organization planning to start encrypting all data that goes outside your facilities?  Or, perhaps encrypt all personal data as a matter of basic business practice?


03/03/2006 11:51 AM Alert 
It is amazing to see the number of incidents related to lost/stolen backup tapes. I'm also surpised to read about the sheer number of stolen laptops that result from an employee/contractor leaving their laptop containing personal data (customer data) in their automobiles.

It'll take a combination of both policies and procedures in addition to data encyption. At a minimum, backup procedures should include encyption so that the resultant data is protected even if it is stolen. The same goes for test data. It needs to be obfuscated or secured in some fashion when it's moved from production into a test environment.

Gregory Davoll

03/03/2006 7:39 PM Alert 
Thank you for your post, Gregory.

I agree...and regarding incidents, with laptops and backup media, more were reported this week. Just this morning it was reported that a college's laptop containing clear text student names and SSNs was stolen from the home of an employee (http://cbs4denver.com/crime/local_story_061234002.html). Well-written policies and procedures visibly supported by management coupled with strong encryption, and an effective info sec training program, definitely would have averted many incidents that have occurred.

The topic of test data is a very interesting one; I wrote about this for the December 2005 CSI Alert Newsletter ("Is There Privacy When Testing?"). There are definite privacy issues and concerns with using production data for testing...and in some countries this practice violates data protection laws. There are several ways in which this data can be de-identified or obsfucated for testing purposes which I covered in the column.

Encryption solutions now are generally so much more efficient, (comparatively) economical and easy to use than old solutions that organizations really should look at the options and avoid this growing trend of incidents involving backup media and test data mishaps.

One of my mottos is, "Encrypt...because breach happens!" Perhaps some day encryption will be just an accepted business practice instead of the exception.

03/23/2006 6:26 PM Alert 
What a lot of people should be asking is, what exactly was that data doing on a laptop anyway? I have personal, first-hand experience with the loss of our family's data when the Boeing laptop was lost/stollen containing 401(k) info. (They were very good in their response by the way, paying for 3 years of premium monitoring service) I would think that this data should only be handled at an individual record level by someone in HR, and try as I might I can't think of one good reason why an HR person would need a laptop, much less to have that data stored locally (probably in an Excel spreadsheet) on that laptop, and be carrying that data around. There are certain job functions that should be absolutely prohibited from telecommuting, and this doesn't seem like the kind of job that would require a lot of travel. Once we get those issues addressed (with policies and procedures of course) we can worry about encrypting the data.  All I can do at the moment is stop pondering this conundrum before I get a headache and keep an eye on that monitoring service! -Kimber
You are not authorized to post a reply.

ActiveForums 3.5