Since Bank of America disclosed in 2005 that it lost a backup tape with customers' personal data, nearly 30 other companies have reported similar embarrassing mishaps. The list of organizations losing tapes with sensitive personal information includes many high-profile names: Ameritrade, Time Warner, CitiFinancial, ABN Amro Mortgage Group, People's Bank, Con Edison, the U.S. Department of Veterans Affairs and Chase Card Services. The breaches affected millions of people, resulted in millions of dollars in direct costs, and even more in indirect costs.
The key to your organization avoiding this fate is encryption, as all unencrypted backup tapes are readable by determined cybercriminals, no matter what your vendor tells you. Some vendors claim that their backup format is proprietary and can't be read without their database and software--don't believe them. Backup formats are irrelevant to laws such as California's SB 1386; if you lose control of unencrypted personal information, you must notify the affected customers. If you can't notify them in a reasonable timeframe, you must contact the media. Several states have similar breach notification laws. As of the end of last year, these laws only apply to unencrypted data. You are not required to notify anyone if the data was encrypted.
It's a clear business case for encrypting tapes that are going to leave a company's physical location. It could save your organization millions of dollars if a tape is lost, and will ensure that any damage to your brand is minimal.
CIO Research Library
