More Comfortable, encrypted and lost?
by Hu Yoshida on Dec 31, 2005
After my last post about the loss of backup tapes containing personal information, including my own, at Marriott Vacation Club International, Anil Gupta asked me if I would feel more comfortable if the data was encrypted and lost. (He had heard that the data was not encrypted.)
My vote would be for encrypted and not lost. But since it is lost, it would make me feel more comfortable if the data were encrypted.
Computer World.com published an opinion by Larry Ponemon who conducted a survey on encryption. He found that, despite all the many publicized reports of lost data, very few companies embraced encryption of data. He received 791 responses and only 4.2% of the companies responding had an enterprise wide encryption plan. While security and privacy professionals believe encryption is necessary to protect sensitive data, concerns regarding its affect on system performance, ease of use, and cost, limit its adoption. I have also talked to security professionals at a credit card company who said that encryption is the last resort due to the possibility of data loss if the keys are mismanaged.
Under the proposed Spector Leahy Personal Privacy and Data Security Act of 2005, law enforcement, consumers, and credit reporting agencies would have to be notified if sensitive personal data is compromised. I assume if data tapes are lost it wouldn’t matter if they were encrypted or not. As far as this act is concerned, the data is compromised and people have to be notified.
Encryption is only one part of security. Data Security needs to be addressed with physical security, authentication, authorization, integrity, confidentiality (encryption), logging and auditing.
There are two problems here. The data is no longer secure (if it ever was) and the data is lost. Instead of giving un-encrypted data tapes to a $20/hr courier to take off site, would it be better to encrypt the data tapes before giving them to a $20/hr courier to take off site? While I would feel more comfortable knowing my data was encrypted and relatively difficult to access, encryption does not prevent data from being lost. In order to reduce the risk of losing data, the data tapes could have been kept onsite within their control or sent off site through a more reliable method of transporting like electronic vaulting or replication.
Note: ComputerWorld published a Reuters report where a company spokesperson indicated the tapes were lost at MVCI’s Orlando HQ, indicating that it was not sent off site. However, one of their FAQ, said that sending backup tapes with sensitive data off site is standard practice among Fortune 500 companies. Encrypting backup tapes of sensitive data does not appear to be part of that standard practice.
I haven’t received my letter of notification from MCVI yet, but based on my collegue Jeremiah’s advice, I have begun to take the preactive steps he reccomends in his post.
Comments (2 )
Hu, maybe they should factor their data down by 20-1 via Diligent and then send it to another USP, at a remote location, via HUR and stop using/shipping tapes all together. This will eliminate the mistakes made by the protein robots.
The public needs to protect them selves.
We can’t depend on these companies that we work for or consume from to protect our Identities. With Identity theft being the fastest growng crime in America we need to act now. America need an “Identity Theft Shield” for more information go to http://www.prepaidlegal.com/hub/janniere90