Added to this a spate of legislation that highlights the need for a complete security policy means that companies of all sizes are now looking at what they need to do to reduce the problems caused when data is lost. The flurry of high profile losses of sensitive data stored on backup tapes reported by large corporations has highlighted the damage that the loss of even one high capacity tape cartridge can bring.
One of the most recent cases to come to light was when Bank of America lost a number of backup tapes whilst in transit between offices. Even though there was no belief that the data had fallen into the hands of unauthorised people, the loss of confidential personal data has made many of their customers reassessed where they place their business. The US Senate as a result is considering bringing in legislation to ensure any personal data recorded on a backup or archive tape must be encrypted in some form.
It is clear that there is a real threat to data security if tapes are not encrypted, no matter how high the level of physical security used when transporting tapes to a ‘secure’ area away from the primary business location for disaster recovery plans. It is during the movement of tapes is where most of the losses in recent times have occurred. Many occasions they have been under the control of specialist companies who say they have a safe and secure storage. It has been found however, that when operators were asked how many times they have had the tapes from another company delivered to them in error, the answer is all too often that this is not a rare occurrence!
It seems to be overlooked by many analysts, but that there is also a major repercussion for the integrity of data restored from an unencrypted backup tape. What could the possible implications be of a restore being run from a set of backup tapes that have been modified? Contrary to the views of some so called specialists, it is not that difficult to modify clear data on a backup tape, and even easier to read and re-write the data so it appears to be the same unaltered tape as before. It needs only a few digits changed to have a major impact on a financial record!
The widening remit for data security is being addressed by various legislations such as Basel II, HIPAA, Sarbanes-Oxley and PHIPA. The fact that many companies are simply flouting these rules with the view that the fines they could face are less that the cost of implementing the solutions, means that only when the fines are increased and the number of prosecutions grows that legislation will have a real impact.
In Japan, where the number of disappearing data tapes is unusually high, the government has brought in legislation that requires a person in each company to be responsible for data security, and he or she will be fined and serve a prison sentence if they fail to comply with legislation. This apparent draconian measure may well be needed in other counties in order to bring companies in line. In Europe, a CEO is already liable for failing to implement an acceptable information security policy and he or she would be liable for a substantial fine or a custodial sentence in extreme cases.