The controversy surrounding lapses in personal-data protection intensified last week, as executives from Bank of America, ChoicePoint, and LexisNexis attempted to explain to Congress losses or thefts that involved hundreds of thousands of customer files.
Time Warner Inc. revealed that tapes containing names, Social Security numbers, and other personal data on 600,000 current and former employees disappeared on March 22 while being shipped to an off-site storage center run by Iron Mountain Inc. So far, there's no evidence that the tapes or their contents have been misused.
Iron Mountain says it has had four cases this year of human error that resulted in the loss of customers' backup tapes; the company performs more than 5 million pickups and deliveries of backup tapes each year.
Maybe the time has come for all companies to encrypt tape data, says Jay Wessel, senior director of technology for the Boston Celtics.
Photo by Jason Grow
Only 7% of businesses encrypt all backup tapes, says Tony Asaro, an Enterprise Strategy Group analyst. California's law requiring that companies notify customers if personal information may have been accessed has made the issue a public one. "This type of thing has probably happened before," Asaro says. "But the need for disclosure has made it more important to take precautions."
The federal government is considering legislation similar to California's law. In Washington last week, executives from companies stung by losses or theft of customer data vowed at a House hearing to do more to safeguard sensitive information, and they backed a federal law to require disclosure if customer data is compromised.
ChoicePoint, the information broker whose disclosure of a security breach set off a furor over privacy and identity theft, favors a national notification law, Don McGuffey, senior VP for data acquisition and strategy, said at the congressional hearing. In March, ChoicePoint stopped selling products that contain sensitive consumer data, except where there's a specific consumer-driven transaction or benefit, or where the products support government and criminal-justice purposes.
Reed Elsevier plc's LexisNexis division, which last month said data on 310,000 individuals might have been compromised, also supports a national reporting law, said Kurt Sanford, president and CEO for U.S. corporate and federal government markets. The company has tightened its security procedures, including truncating Social Security numbers displayed in nonpublic documents, he said.
Bank of America, which disclosed that backup tapes containing customer and account information for 1.2 million government charge-card holders were lost in transit, favors a "national approach to information-security guidelines," said Barbara Desoer, global technology, service, and fulfillment executive.
Some companies are replacing tape as their primary backup medium. Legal Services for New York City, which provides free legal aid for low-income residents, uses Double-Take replication software from NSI Software Inc. to continuously replicate its primary SQL Server database to a remote site. "There are fewer and fewer reasons for tape," chief technology officer John Greiner says.
The Celtics' Wessel uses tape for backing up digital files that are too large to be transmitted over a network. When an Iron Mountain truck shows up to pick up the backup tapes, which are handled and loaded by two Celtics employees, a third employee watches to ensure that none of the tapes are mishandled or misplaced. So far, Wessel says, no tapes have been lost.