What is storage?
“The privacy group is filing an amicus brief asking the high court to accept an email privacy case from South Carolina that’s exacerbated confusion over what courts consider electronic storage,” writes the political journalism site Politico. “In the filing, submitted on behalf of nearly 20 privacy advocates, EPIC tells the Supreme Court that email privacy rules and definitions have become increasingly unclear, thanks to the rise of cloud computing, and Congress has yet to step in to fill the gap.”
The whole issue of what “storage” is became an issue last fall, when a South Carolina Supreme Court ruled that, under the Stored Communications Act (SCA), email in a Yahoo! account should not be considered protected from unauthorized access because email sitting in the cloud was not “stored” the same way as it would be sitting on one’s own computer — which was protected.
This means that was also true for anyone who uses a cloud-based email system — not just Yahoo, but also Gmail and a plethora of other systems. Not to mention some components of the federal government itself that have moved to cloud-based email, EPIC notes in its brief.
The original case was a domestic dispute — a husband was cheating on his wife, and the wife’s daughter-in-law figured out the husband’s e-mail password and logged in to his personal account to read the e-mails between the husband and his paramour, wrote Orin Kerr in The Volokh Conspiracy legal blog. “The daughter-in-law found the e-mails and shared them. The husband filed suit under several laws including the Stored Communications Act, 18 U.S.C. 2701, which only allows a civil suit if the e-mails accessed were in “electronic storage.””
The Supreme Court may get involved because this decision conflicts with a similar case by the Ninth Circuit Court in 2004, wrote Andrew Hoffman at the Information Law Group blog.
“The Jennings opinion establishes a split with the Ninth Circuit’s opinion in Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004), which found that emails that had been received, read, and left on the server were stored “for purposes of backup protection” and therefore within the ambit of the SCA,” Hoffman wrote.
This is a problem because it’s not good for different courts to have different ideas of what does and doesn’t constitute a legal issue, Hoffman wrote. “Thus, until the split of authority is resolved, the same conduct will disparately subject some individuals to civil liability, depending on the interpretation of the SCA applied by the court. Such disparate interpretations could create an incentive for forum shopping and pose conflict of law questions, when multiple states (and even nations) could be involved in an email hacking case. Such disparate interpretations may also pose problems for employers investigating suspected employee misconduct involving webmail.”
Just to show how confused the South Carolina court was, its judges couldn’t even agree on why the email wasn’t stored, but instead had three different opinions, Kerr wrote.
Aside from the issue of protection, the issue of defining what storage is is important because it is the primary difference between the Stored Communications Act — the law under which the original suit was filed — and the Electronic Communications Privacy Act, according to EPIC.
A related question is “What is a backup?” because some of the legal arguments also hinged on whether the email retrieved from the account was the “only copy” or a backup — a question that is kind of irrelevant in cloud storage, which may feature multiple replicated copies of data, EPIC writes.
“A wealth of personal and private messages are now stored remotely in the cloud, and their protection depends on the interpretation of ‘electronic storage’ under ECPA,” EPIC writes.
Optical discs are either dead, or better than ever. It depends on whom you ask.
They’re dead according to CNN, which points to the fact that some recent Apple computer no longer have optical disc drives, that of course tablets and smartphones don’t have them, that vendors such as Sony no longer even make them, and that increasingly people are downloading music, movies, and software fro the cloud.
“Over time, an optical disc will be as much of an historical curiosity as a floppy disk,” CNN quoted Michael Gartenberg, a tech-industry analyst with research firm Gartner Inc., as saying.
CNN also quoted a piece by Chris Pirillo, founder of blogging network Lockergnome, as saying, “While it may be too early to say for certain that the optical drive is absolutely dead, it is certainly showing all the early warning signs of a technology that is past its prime.”
On the other hand, not so fast, maybe.
Pirillo’s piece was written two years ago. “As this trend continues, it’s unlikely that optical drives will be included on game consoles at all,” he predicted. Yet as recently as this month, analyst firm IDC said it didn’t see optical drives leaving gaming consoles anytime soon.
“Discs will remain the console game revenue mainstay for years to come,” said Lewis Ward, research manager of IDC’s Gaming service, in Games Industry International. “With the advent of eighth-generation consoles, starting with the Wii U, historical norms strongly imply that game disc revenue will stop bleeding in 2013 and rise substantively in 2014.”
Okay, you say, that’s fine for games, but what about business users? While some new machines may no longer include optical drives, they continue to be a medium of choice for archival storage.
Moreover, vendors are still announcing new innovations in optical storage, such as Millenniata, which earlier this month announced it will offer ulltra-durable Blu-ray M-Discs in the second quarter of 2013 that will store five times as much data as a standard disc and yet be able to be read and written in a standard Blu-ray player. The drives are even being included in some Acer computers.
Similarly, vendors such as JVC and IoSafe are releasing archive-quality optical discs for use in specialized verticals such as law enforcement, noted Tim Dees of PoliceOne.Com. The large amount of storage provided by optical drives is necessary to store video files, he said.
While it may be true that optical drives are on the way out, they’re obviously far from dead.
Now that everyone’s used the holidays to digest the news about HP and Autonomy, HP is reportedly receiving offers to purchase the troubled UK e-discovery company — but people in the know say HP won’t go for it.
HP sort of brought all this interest upon itself by saying in a December 27 10-K regulatory filing that it would consider divesting some businesses “that may no longer help us meet our objectives.” Consequently, HP has received expressions of interest from several high-tech companies, but company executives aren’t interested, according to the Wall Street Journal. And reporters such as Arik Hesseldahl from AllThingsD say that the phrasing was due to the lawyers and had nothing to do with the company’s real intentions.
And, you know, honestly, that’s the news. More than 80 news stories, and that’s all there is. Everything else is speculation.
Analysts can’t even decide whether selling Autonomy would be hard, with some of them saying it would be easy because the acquisition is recent and the company was fairly, uh, autonomous under HP (one of the criticisms against it, actually). Others are saying it would be hard because HP is involved in litigation against Autonomy.
So far, most of the evidence does seem to indicate that HP is not going to sell Autonomy. After all, HP held a conference call with analysts a few days ago talking about its plans for the company, and would it do that if it were planning to sell? the proponents of that side said. The new head of Autonomy also reportedly recently told staffers that HP intended to hire at least 50 new engineers for Autonomy in the next year.
In fact, some believe that HP might be planning to sell its printing unit instead. There have been rumors that HP is receiving offers for EDS as well.
On the other hand, HP’s stock went up after the rumors started, and boards of directors tend to pay attention to such things. But analysts quoted in the Financial Times said HP might get only “pennies on the dollar” if it did sell Autonomy.
You know what they say about guys with big thumbs.*
The Consumer Electronics Show was this week in Las Vegas, and while I didn’t go (do you know how much walking around that involves?) it wasn’t hard to figure out that, with all the music and movies and pictures and so on that consumers are, well, consuming these days that — cloud or no cloud — storage is becoming increasingly important. Plus, to make the CES even more enticing to storage vendors, there’s a whole little show within a show, Storage Visions, held just before CES. “Petabytes are the new terabytes!” it proclaimed.
Besides, CES is typically a hardware show. It’s always been all about the gadgets, and the more extreme the better: bigger, smaller, harder, softer, faster.
Which brings us to the Kingston DataTraveler HyperX Predator 3.0, a thumb drive that holds a terabyte of data.
A. Terabyte. On. A. Thumb. Drive.
You know, just a year and a half ago I was whining because I wanted a terabyte on a laptop. Now I can put a terabyte in my pocket? (Despite its name, it doesn’t seem to have any particularly aggressive features.)
It’s expected to ship sometime this quarter for an undisclosed price, but as the New York Times points out, a 512-GB version available now costs $1,750. (In comparison, a 1-TB internal or external drive is less than a hundred bucks these days, and I still remember when a 10-MB hard drive was as big as the PC and cost as much and by the way, what are you kids doing on my lawn?)
Of course, as people have pointed out, such a gigundo thumb drive has its own problems, not the least of which is what happens and you run it through the laundry (my big fear), lose it out a hole in your pocket, or get a virus on it.
As much as the size, people were also impressed by the speed — which reportedly reads at 240MB/s and writes at 160MB/s. This is because it uses USB 3.0, which itself is expected to have its speed doubled, to 10 Gbps, in a year or so.
That wasn’t all the storage news at the show, but of course most other announcements pale in comparison:
- Seagate announced the Seagate Central network home storage system — which provides 4TB of automatic backup for the home, access to movies, music and photos from networked devices, as well as remote access — and Seagate Wireless Plus mobile storage, which can stream up to 10 hours of 500 HD movies to up to 10 devices over wireless.
- HP announced a similar unit, the Pocket Playlist — 32 GB for up to 5 devices — for $129, due in the middle of next month.
- LaCie announced BladeRunner, a pretty pretty 4TB external drive for $300, where “the warm interior electronics are encased in a mystifying shell, and the blades are the radiator that cools it down,” according to the designer. Um, okay. But’s Limited Edition!
- Beam me up, Scotty. With the Transporter, you back up your files to it, and then it backs them up to other Transporter units that your friends own. This model seems to be predicated on wide penetration. Good luck with that.
- Buffalo Technology announced some new network attached storage devices.
*What do they say about guys with big thumbs? Why, big thumbs, big gloves. What did you think I was going to say?
You know how after Christmas, you go out and buy yourself all the stuff nobody gave you? Apparently Imation feels the same way; it just dropped $120 million on Nexsan.
Imation makes storage products, particularly media, for the enterprise, while Nexsan makes storage hardware and software for small to medium businesses. So really, this is not so much an acquisition about synergistic technology but simply one of one company buying another for its products and customers — 11,000, in Nexsan’s case.
The other advantage is that Nexsan is doing much better financially than Imation, which according to VentureBeat has failed to make a profit for the last five of its six years and restructured in October. Nexsan, on the other hand, had revenue of $82 million in 2011, has gross margins in the 40% range, and was close to breaking even on net earnings, according to the Star-Tribune. In comparison, Imation had $1.3 billion in sales and a 21.3% gross margin.
It’s not all one-sided; Imation, which has an international presence, is expected to provide a broader market for Nexsan, which is primarily in the U.S., Canada, and the U.K. The move also provides an exit strategy for Nexsan investors, which according to Forbes includes MFP Partners, a fund controlled by the legendary mutual fund manager Michael Price; RRE Ventures; VantagePoint Venture Partners; and the Fonds de Solidaritie des Travailleurs du Quebec, a fund managed by the Quebec Federation of Labor, the largest union in Quebec. The company had planned an IPO — after two failed attempts in 2008 and 2010 — but withdrew it in April.
Imation is based in Oakdale, Minn., while Nexsan is based in Thousand Oaks, Calif., where it will continue to reside after the acquisition. Imation has 1,100 employees, 400 of which are in the Minneapolis area, while Nexsan has 200, according to the Minneapolis Star-Tribune.
The other interesting aspect of the acquisition is how it’s being financed. It was funded by about $105 million in cash and 3.3 million Imation common shares, equivalent to about $15 million, to make the total of $120 million. But the $105 million was about 56% of the company’s cash on hand, and the company had to issue new stock for the shares, which meant it diluted the value of existing shares.
The two companies will determine integration and global expansion activities between Imation’s Tiered Storage and Security Solutions business and Nexsan in the first quarter of 2013, NASDAQ said.
IBM announced earlier this month that it was acquiring StoredIQ, but exactly what the company does isn’t quite obvious. Part big data, part e-discovery, it’s sort of neither fish nor fowl.
As an example, analyst firm IDC included the Austin, Texas-based StoredIQ in its IDC MarketScape: Worldwide Standalone Early Case Assessment Applications 2011 Vendor Analysis, but Gartner hasn’t included it in either of its e-discovery Magic Quadrants — from which a number of larger vendors have plucked other acquisitions. (However, Gartner did name StoredIQ as a “Cool Vendor” in April of this year.”)
Instead, IBM is working on creating a family of “information lifecycle management” applications, which are kinda both — big data, because it covers all an organization’s data, but also e-discovery, because part of the reason for having such applications is for litigation support, both for identifying data needed in legal situations but also to help reduce, in a legally justifiable way, the amount of such data in the first place.
StoredIQ’s advantage is that it manages the data in situ rather than by moving it to a secondary location, which saves the cost of the secondary storage, noted Zacks Equity Research, adding that the company had received $11.4 million in funding in August and had 120 clients — though it warns that IBM faces competition from vendors such as EMC, Oracle, and SAP.
The company has also been working to make its product, which includes software and an appliance, easy enough for even legal professionals to use, rather than requiring IT people to operate. In addition, it has partnered with a wide variety of other vendors over the years, including NetApp, EMC, and NewsGator, and supported a number of formats, including SharePoint and Office 365.
As big data has become more prevalent, companies are interested in saving their data in hopes of being able to analyze it at some point and improve their businesses. But what it calls data hoarding is a problem for two reasons, notes Law Technology News.
First, there’s the cost. Though the price of storage itself has been dropping, it still costs something, plus there’s the cost of managing it, backing it up, and so on — which could amount to $5,000 per terabyte, Law Technology News said.
Second, there’s the legal cost. Should an organization be sued, it not only needs to provide all the pertinent information that the other side asks for, but it has to find it in the first place — and the more data a company has, the more expensive that search is. Also, companies have to balance the value of the data for analysis with what it might cost them should it reveal something in a lawsuit. This cost is on the order of $15,000 per gigabyte, Law Technology News said.
In fact, legal organizations have been advising companies to look for opportunities to delete data, pointing out how much money they can save. However, they have to do this in a regular fashion, because once a lawsuit is filed, a “legal hold” is put on the data and it can’t be deleted, or a company is subject to large fines.
The acquisition becomes part of IBM’s Information Lifecycle Governance suite, headed by Deidre Paknad, vice president of Information Lifecycle Governance. Paknad had been CEO of PSS Systems Inc. in Mountain View, Calif., a pioneer in the e-discovery space, which itself was acquired by IBM in 2010. The group also includes Vivisimo, which IBM acquired earlier this year.
The acquisition was not a surprise; IBM had partnered with StoredIQ for two years. As is typical for IBM, it did not reveal the cost of the acquisition. It is expected to be finalized in the first calendar quarter of 2013.
It shouldn’t be any surprise in this incident, about which nothing makes any sense, but it isn’t clear what the status is of Adam Lanza’s computer hard drive, which was smashed/damaged/destroyed by a hammer/screwdriver/sharp object that left data on it irretrievable/able to be recovered, according to which publication you read and which data forensics expert they consulted.
Here’s a breakdown of the issues involved.
Was the disk drive solid-state or traditional spinning disk? There has been increasing use of solid-state drives in computers, either due to interest in improved performance or in reaction to last year’s Thai flooding, which damaged a number of hard disk manufacturing plants and made spinning disk storage more scarce and expensive.
What’s the difference? While both kinds of drive are susceptible to damage — as anyone who’s lost a drive by dropping it knows — solid-state drives are even more susceptible to damage.
“Many SSD hard drive failures are in fact unrecoverable,” writes The Inquisitor. “If the remapping tables that keep track of data in memory cells get trashed the data is effectively randomized and mixed up with data blocks which were marked as corrupted and unusable even before the SSD failed. Many SSD models also come with internal encryption that will make the lives of data forensics experts difficult.”
If it was a spinning disk, how was it damaged? For the sake of argument, though, let’s assume it’s a traditional spinning disk drive. Then the question becomes, how was it damaged? Neither reporters nor crime investigators are necessarily computer experts, and the descriptions of the damage have been vague — they don’t even specify whether Lanza had a desktop or a laptop.
Some reports indicate that Lanza removed the hard drive from the computer before damaging it, which would make it more likely that the drive itself would actually have sustained damage.
But because the platters in the hard drives that hold data are so sensitive, manufacturers tend to do what they can to protect them. Consequently, depending on how the hard drive was damaged, the platters inside could have been anything from undamaged to shattered.
How could the data be retrieved from the damaged hard drive? There are all sorts of third-party data recovery services, and chances are the FBI — which has plenty of forensics chops itself — is talking to all of them about the best way to retrieve data from whatever remains of the platters, as well as, more than likely, the manufacturer of the drive itself. Even if the platters were shattered, they could conceivably be reassembled and at least partially read.
“The level of detail they can rip out of systems these days seems incomprehensible to most people,” Rob Lee, a forensic specialist who has examined computers seized from terrorists for the U.S. intelligence community, told the Washington Post, which wrote in detail about the various ways data could be recovered. Even data from the crashed space shuttle Columbia was nearly 100% recoverable, the article noted.
Is the data available anywhere else? Even if all the data on the drive itself is irretrievable, it might be available else, ranging from a backup, to a synchronization service such as Dropbox, to obtaining copies of data and other information from sources such as Lanza’s Internet service provider, email services such as Google, or his online gaming records.
“Many e-mail providers, such as Yahoo and Google, store data on their servers for a period of time, meaning that police might be able to subpoena Lanza’s provider for access to whatever data they have,” writes the Christian Science Monitor. “Google also stores information about users’ searches and other online activity indefinitely, although it anonymizes IP addresses after 9 months, making it impossible to tell what a given user was doing online prior to that time.”
While there has been increasing concern from civil liberties organizations about the amount of information that services collect and to which law enforcement organizations have access, in this particular case, it may be our best hope in trying to make some sort of sense of this tragedy.
What it takes is enough motivation and the right equipment — and the F.B.I. has both, writes Popular Mechanics.
Somewhere along a long, nondescript brick wall, there’s a little spot that’s different from the rest. Poking out from the rough surface of the wall is the half-inch extension of a USB flash drive. You connect it to your computer, upload or download files, and you’re on your way, with no one the wiser.
We learned about “dead drops” (at least, those who didn’t know about them already) a few weeks ago with General Petraeus got caught exchanging messages with his mistress by leaving messages in draft form in a shared Gmail account. But there’s another kind that offers a lot more possibilities — and risks.
It all started in October, 2010, when Berlin-based media artist Aram Bartholl came up with the idea as an art project: Install a USB flash drive in a wall, and people could freely upload and download art from it. He started out with five USB dead drops in New York, and posted a website with instructions, including an instructional video.
“Dead Drops is an anonymous, offline, peer to peer file-sharing network in public space,” reads the Dead Drop Manifesto. “Anyone can access a Dead Drop and everyone may install a Dead Drop in their neighborhood/city. A Dead Drop must be public accessible. A Dead Drop inside closed buildings or private places with limited or temporary access is not a Dead Drop. A real Dead Drop mounts as read and writeable mass storage drive without any custom software. Dead Drops don’t need to be synced or connected to each other. Each Dead Drop is singular in its existence. A very beautiful Dead Drop shows only the metal sheath enclosed type-A USB plug and is cemented into walls.You would hardly notice it. Dead Drops don’t need any cables or wireless technology. Your knees on the ground or a dirty jacket on the wall is what it takes share files offline. A Dead Drop is a naked piece of passively powered Universal Serial Bus technology embedded into the city, the only true public space. In an era of growing clouds and fancy new devices without access to local files we need to rethink the freedom and distribution of data.”
The idea exploded, and soon there were USB flash drives poking out of walls (and dogs) all over the world. Srsly, there’s more than 1100 of the things out there, according to the most recent map, ranging from New York to Toronto (where it contains porn and recipes) to New Zealand. (And those are just the public ones.) There’s also apps to tell you where Dead Drops are, as well as a Flickr set and a Twitter feed. (In addition, there’s wireless ones and DVD ones being set up as well.)
Certainly the serendipity of these little data glory holes is high. It’s basically superduper high-tech geocaching. Just think of the data, good and bad, that could be exchanged: Pictures, movies, building plans for terrorists, porn, Anonymous plans, Wikileaks data… They’re even being used to generate fiction. Honestly, I’m surprised it hasn’t shown up in a Will Smith movie yet.
Needless to say, the whole process, like any USB stick, is fraught. What keeps people from downloading something like a virus (which was raised as a concern almost immediately) or child porn onto their laptops? (I cringe every time I see a picture of someone with their laptop plugged into one of these things, and hope that at least it’s a junk laptop devoted to the purpose.)
For that matter, what keeps someone from uploading a virus, and from there spreading it around the world? Recall that the Stuxnut virus was spread through USB flash drives enticingly scattered around. Set up something like this at Burning Man with a virus and you could shut down all of Silicon Valley by mid-September.
On the other hand, in a day and age where governments are shutting down the entire Internet in their countries, the notion of a way for rebels to exchange information in this clandestine way sounds pretty darn cool. What a great way for Mr. Phelps to get information — though of course you’d have to make sure that the government hadn’t set up its own USB dead drop to try to catch you. Or for people trapped in a country to get information outside the country — post a code message to Twitter and wait for someone with a tablet and a USB port to come along.
Or maybe I’ve just seen Red Dawn too many times.
In its list for 2013, IDC has predicted that the cloud file-sharing company Dropbox will be acquired next year.
“Dropbox will be acquired by a major enterprise infrastructure player,” the company wrote. “In another sign that “consumerization” doesn’t mean mimicking consumer technologies in the enterprise but actually acquiring and/or integrating with widely adopted consumer offerings in the enterprise, IDC predicts that Dropbox will be acquired by a major enterprise infrastructure player in 2013. This will certainly be an expensive acquisition, but it will be one that brings an enormous number of consumers (many of whom are also employees), and a growing number of ecosystem partners, along with Dropbox’s technology.”
“Expensive” is putting it mildly; a $250 Series B funding round last fall gave the company a $4 billion valuation, which is expected to be even higher now (though GigaOm still thinks the market is small). Only a major enterprise infrastructure player would be able to afford it.
Part of what makes this prediction interesting is that a Dropbox IPO has been rumored — and highly anticipated — since last year. Dropbox founder and CEO Drew Houston had reportedly received a nine-figure acquisition offer from Apple early on, Forbes reported last year, but turned it down because he wanted to run a big company — though he sounded at the end of the article as though he might be reconsidering that.
As he walked out of [Facebook founder Mark] Zuckerberg’s relatively modest Palo Alto colonial, clearly enroute to becoming the big company CEO he had told Steve Jobs he would be, Houston noticed the security guard parked outside, presumably all day, every day and pondered the corollaries of the path: “I’m not sure I want to live that life, you know?”
The downside with getting a big funding round is that eventually investors want to see some return on their investment — and typically that means either an IPO or an acquisition. Employees also typically want their big buyout, though Dropbox employee stock has reportedly been available on the secondary market.
The advantage of an acquisition by a major vendor is that it could give Dropbox the credibility and structure it would need to fit into the enterprise. It’s not that people aren’t using Dropbox. Quite the contrary — a recent survey by storage vendor Nasuni found that 20% of corporate users were using Dropbox.
This is despite the security and governance holes inherent with using a system such as Dropbox, the security holes in Dropbox in particular, and rules that corporations have attempted to put into place to keep people from using it. (Nasuni found that 49% of the people whose companies had rules against it were using it anyway.) As long as people have multiple devices — and they show no signs of stopping — and need access to their files, as well as the ability to send large files to other people, there’s going to be a need for the functionality, and all the rules in the world aren’t going to stop it, especially when, as Nasuni’s survey indicated, some of the worst offenders are executives.
“The most blatant offenders are near the top of the corporate heap — VPs and directors are most likely to use Dropbox despite the documented risks and despite corporate edicts,” writes GigaOm’s Barb Darrow. “C-level and other execs are the people who brought their personal iPads and iPhones into the office in the first place and demanded they be supported.”
So being purchased by a major player offers the opportunity to rein in some of these users, while still giving them the functionality they need. The company itself has also indicated that it plans to address the issue to make the product safer for corporate users — which would also make it more attractive to an acquirer.
The other likely aspect is that, as we’ve seen with e-discovery and other emerging markets, when the first big vendor goes, many of the smaller vendors quickly follow like dominoes. A Dropbox acquisition would likely presage a whole round of other ones; Wikipedia lists 17 “notable competitors,” including Box.Net and YouSendIt, and there are others. Acquisitions would also help simplify the complicated market.
Although major players such as Apple, Google, and Microsoft already offer their own cloud storage solutions, the vendors might want to acquire other ones for their technology, their people, or simply to get them off the market, while other vendors (dare I suggest HP, which doesn’t have a great track record on acquisitions these days?) would do so simply to get a toe in the market.
Either way, it seems likely that something will happen to this market next year.
There’s been a couple of instances recently where government agencies have been careless with data, losing access to personally identifiable information such as Social Security numbers.
First, a NASA laptop that “contained records of sensitive personally identifiable information for a large number of NASA employees, contractors and others” was stolen from a vehicle, and while the laptop itself was password-protected, the data on it was not encrypted. In its memo about the incident, NASA didn’t say how many staffers might have been affected.
Second, the state of South Carolina’s Department of Revenue determined that hackers had broken into its database, putting the PII of up to 4 million people and 700,000 businesses at risk — again, because data had not been encrypted — in what is said to be the largest breach ever of a state agency. “Hackers also stole 3.3 million bank account numbers and the tax files of 700,000 businesses,” wrote Reuters. The Social Security numbers of 1.9 million children on parents’ returns were also compromised.
Are you detecting a Trend? Like, maybe, that encrypting PII is a Good Idea?
NASA, which had already lost another laptop in March to a similar theft, is actually in the process of implementing encryption on its systems — the stolen laptop just hadn’t gotten through the process yet. However, the agency expects all of its laptops to be encrypted by December 21, a spokeswoman told the New York Times. The agency didn’t say how much the breach would cost.
With South Carolina, its encryption plans are less clear. Gov. Nikki Haley — who had reportedly claimed the breach wasn’t the state’s fault until an investigation by the security company Mandiant proved her wrong — has been blaming the problem on “antiquated state software and outdated IRS security guidelines” that don’t require encryption. But while the state has implemented some security measures, such as increased monitoring, reports haven’t indicated anything yet about South Carolina installing encryption, though the Republican governor wrote the IRS a Strongly Worded Letter encouraging the federal agency to require states to do so.
“Had I known that IRS compliance meant that our Social Security numbers were not encrypted, I would have been shocked,” Haley was quoted as saying on local news.
Haley said the state also hadn’t encrypted the data because it was complicated. “But it’s highly unlikely that anyone on the security team at the Department of Revenue recommended storing millions of SSNs in plaintext because the alternative–deploying an encryption package–was too complicated,” wrote Dennis Fisher of Threatpost in a scathing rebuttal. “More likely, someone looked at his budget, looked at the price of the database encryption package, and made a hard choice. Lots of businesses, government agencies, non-profits and other organizations face the same choice every year and some of them decide that the cost of the encryption outweighs the potential benefit. And that can work out fine. That is, until something like the South Carolina data breach happens. Then things tend to be not fine.”
If the goal was to save money, they chose…poorly. “The cost of the state’s response has exceeded $14 million,” reported the Post. “That includes $12 million to the Experian credit-monitoring agency to cover taxpayers who sign up — half of which is due next month — and nearly $800,000 for the extra security measures ordered last week. The Revenue Department has estimated spending $500,000 for Mandiant, $100,000 for outside attorneys and $150,000 for a public relations firm. But those costs will depend on the total hours those firms eventually spend on the issue. The agency also expects to spend $740,000 to mail letters to an estimated 1.3 million out-of-state taxpayers.”
Plus, there’s the class action lawsuit, which could amount to $4 billion or more.
Meanwhile, other states such as Georgia and Alabama are hastening to point out that they don’t have any problems like this because they encrypt their data. However, most other states don’t, said Larry Ponemon, chairman of The Ponemon Institute, which researches privacy and data protection.