Storing Liability: The Increasing Risks of Off-Site Data Storage
May 2005
Listening to CNN recently, I felt that one
of the announcers was clearly quite nervous about the story she had just presented,
admitting that she had a real interest in the story since she was likely a potential
victim of what had occurred. Time Warner, CNN's parent company, had just revealed
that tapes containing names and Social Security numbers on over 600,000 current
and former employees had disappeared.
by Gary
Clayton
Privacy Compliance
Group, Inc.
The tapes vanished while they were being shipped to an off-site storage center
operated by Iron Mountain, Inc., which provides data backup services to companies
throughout the United States. Apparently the tapes were not encrypted—they were
compressed making them difficult to access, but compression does not offer the
protection of encryption. Nothing needs to be unlocked on such compressed tapes—opening
them is much akin to opening a .zip file.
This is not the first major company to report such a loss of backup tapes.
Other prominent companies such as Ameritrade and Bank of America have revealed
similar losses of customer or employee information. In the case of Bank of America,
the loss carried potential political liabilities since the lost data related
to members of Congress and members of their staff.
Why? Why Now?
These incidents raise a number of important issues for almost every mid-size
or larger company in the United States. First, why is this happening? Second,
why now? Third, what can be done to protect against such potentially damaging
losses? And finally, what are the liability risks for failure to adequately
protect personal information?
The first question is easiest to answer. These types of losses are occurring
because so few companies bother to encrypt all of their backup tapes. One recent
study revealed that only 7 percent of businesses encrypt such tapes. Despite
the fact that many of the same companies invest heavily to protect data on their
networks, they have failed to take the basic step to encrypt their data on backup
tapes.
So why is this becoming news now? Did something change to make this sort
of loss occur? The answer is that yes something changed: California enacted
legislation that requires companies that have personal information on California
residents to notify those customers if personal information may have been accessed
inappropriately. The law thus made data loss a public issue.
Prior to the enactment of the California legislation (S.B. 1386), losses
of backup tapes or other security breaches were very unlikely to be made public
unless some extraordinary event occurred. The federal government and a number
of states are considering legislation that would mandate notice similar to that
required by the California law.
What Can Be Done?
There are a number of steps that can and should be taken to avoid risks associated
with the loss of personal information. Information losses on backup tapes can
be greatly reduced by the use of encryption. Iron Mountain is encouraging companies
to encrypt their backup tapes before sending them to storage. According to a
white paper on the Iron Mountain Web site: "Encryption of the data on backup
tapes is the only effective means of making certain that others cannot read
the information on the tapes in the event they are lost." Iron Mountain also
recently issued an advisory to its customers to encrypt all backup tapes. According
to Iron Mountain, "Companies need to reassess their backup strategies and seriously
consider encrypting sensitive data to prevent a potential breach of privacy."
To date, there are no specific statutory or regulatory requirements mandating
that a certain type of encryption standard be used to protect personal information
such as that discussed above. There are, however, a number of laws that require
companies to undertake "adequate measures" in order to protect their data. California
A.B. 1950, for example, requires businesses to implement and maintain "reasonable"
security procedures and practices, appropriate to the nature of the personal
information to protect the information from unauthorized access, destruction,
use, modification, or disclosure. Unfortunately, however, A.B. 1950 does not
define what is "reasonable" nor does it offer guidance on how to meet the reasonableness
standard.
From discussions with California’s State Privacy Officer, it is likely that
California will adopt standards that will be based on the security procedures
of the Payment Card Industry—specifically the guidelines published by MasterCard
International and Visa USA, Inc.
California is not alone in adopting such measures. Sarbanes-Oxley, Basel
II, and a number of industry and governmental guidelines recommend that reasonable
security precautions be put in place to protect data. In light of Iron Mountain’s
recommendation that companies encrypt their backup data, it is not too difficult
to predict that enterprising plaintiffs will be using such a recommendation
to argue that the failure to encrypt sensitive data is, per se, unreasonable.
California law permits individuals to sue for unlawful or unfair business
practices. A.B. 1950 does not require an individual to be harmed for a violation
to occur. Further, considering that California’s SB 1386 requires businesses
to notify individuals promptly of a security breach of unencrypted computerized
personal information, businesses should anticipate a high level of enforcement
actions as a result of A.B. 1950.
A.B. 1950 requires that by January 1, 2005, all businesses covered by the
law must have developed and implemented reasonable security procedures to protect
personal information from unauthorized access, destruction, use, modification,
and disclosure. The law also imposes additional requirements on companies that
disclose personal information to third parties.
What Should Businesses and Risk Mangers Do?
There is not one silver bullet. Protecting against privacy and security risks
is a process that must be part and parcel of an organization’s overall business
practices. One of the first steps is gaining a full understanding of how data
is used in an organization—and how it is stored off site. Until such a baseline
is developed and risks analyzed in light of the data use and sensitivity of
the data, any remediation efforts will be piecemeal.
None of us wants to be like the CNN reporter who has to sit and wonder if
her personal information has been stolen or lost. Basic and "reasonable" steps
can prevent your business from placing your employees and customers in such
an awful position. With respect to backup tapes, to paraphrase the late Johnny
Cochran, "If it’s shipped, you must encrypt."
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.