I have yet to get a letter from an institution with which I do business that starts like this:
Dear Current or Former PEIA, WVCHIP, or AccessWV Member:
We are writing to you because of a recent data security incident. On October 16, 2007, a mainframe computer tape containing your and your dependents’ name, address, and social security number was reported as lost by United Parcel Service (UPS) while en route to PEIA’s data analyst.
But the longer I stay on the storage beat, the more I feel like the day is coming.
We just reported on a similar completely egregious data loss last week, this time an entire case of backup tapes belonging to the Louisiana Office of Student Financial Assistance (LOSFA) that was left on the side of the road by an Iron Mountain driver. And before that, Marriott International Inc.
Those were only the ones we chose to report on. If we really wanted to, we could probably change this site tomorrow to SearchLostBackupTapeStories.com and we’d have enough to keep up with a reasonably regular newsletter. Unfortunately, the site Attrition.org has already beaten us to the punch when it comes to being the Web clearinghouse for news about how the companies we trust with our sensitive financial and personal data are still losing it, and still losing it in cleartext.
Over a year ago Steve Duplessie, himself a victim of the Marriott data loss, wrote a column for us about how “there’s simply no excuse for these very public blunders.”
And yet, here we are, watching them continue.
My question at this point–sincerely–is why?
Back when the loss of a backup tape was still emerging as a potential problem (it was not ever thus, only in recent years as more and more sensitive data is digitized), there were some at least plausible arguments for not encrypting backup tapes. The expense, for one. The complexity of adding something into your backup environment, when backup is already a nightmare to administer. Performance issues.
By now, you can buy a low-end LTO-4 tape drive with hardware-based encryption built right in. By now, you can buy a module for your Cisco director switch that will encrypt everything that touches your network, if you want, and manage the keys for you, too. If you’re a mainframe customer like PEIA, you can now attach a self-encrypting tape drive from IBM or Sun. By now, everyone and their brother on the vendor side is coming out with a data security product offering, and the longer this all goes on, the cheaper these products are getting.
And yet still, on a weekly basis, there are financial and medical institutions reporting the loss of tapes, which must mean they were unencrypted, because data privacy laws don’t require reporting on the loss of encrypted data. I highly doubt any of these companies are reporting these losses when they don’t have to.
There’s something I’m missing here. The only argument left from the early days of data breaches is, I suppose, that the risk-reward analysis doesn’t warrant expenditures on data security; in other words, “It won’t happen to us.” But I don’t understand how that argument flies anymore, either, with these embarrassing announcements continuing to pop up in the news so often. And I also don’t think that any business would choose not to purchase a firewall for its corporate network just because the risk of actually getting hacked is relatively low. You don’t forgo car insurance on the basis that an accident is a remote possibility.
So how is anyone getting away with transporting cleartext backup data anymore? Hoping one of you out there in blogland can help me out with that question.