Listening to CNN recently, I felt that one of the announcers was clearly quite nervous about the story she had just presented, admitting that she had a real interest in the story since she was likely a potential victim of what had occurred. Time Warner, CNN's parent company, had just revealed that tapes containing names and Social Security numbers on over 600,000 current and former employees had disappeared.
The tapes vanished while they were being shipped to an off-site storage center operated by Iron Mountain, Inc., which provides data backup services to companies throughout the United States. Apparently the tapes were not encrypted—they were compressed making them difficult to access, but compression does not offer the protection of encryption. Nothing needs to be unlocked on such compressed tapes—opening them is much akin to opening a .zip file.
This is not the first major company to report such a loss of backup tapes. Other prominent companies such as Ameritrade and Bank of America have revealed similar losses of customer or employee information. In the case of Bank of America, the loss carried potential political liabilities since the lost data related to members of Congress and members of their staff.
Why? Why Now?
These incidents raise a number of important issues for almost every mid-size or larger company in the United States. First, why is this happening? Second, why now? Third, what can be done to protect against such potentially damaging losses? And finally, what are the liability risks for failure to adequately protect personal information?
The first question is easiest to answer. These types of losses are occurring because so few companies bother to encrypt all of their backup tapes. One recent study revealed that only 7 percent of businesses encrypt such tapes. Despite the fact that many of the same companies invest heavily to protect data on their networks, they have failed to take the basic step to encrypt their data on backup tapes.
So why is this becoming news now? Did something change to make this sort of loss occur? The answer is that yes something changed: California enacted legislation that requires companies that have personal information on California residents to notify those customers if personal information may have been accessed inappropriately. The law thus made data loss a public issue.
Prior to the enactment of the California legislation (S.B. 1386), losses of backup tapes or other security breaches were very unlikely to be made public unless some extraordinary event occurred. The federal government and a number of states are considering legislation that would mandate notice similar to that required by the California law.
What Can Be Done?
There are a number of steps that can and should be taken to avoid risks associated with the loss of personal information. Information losses on backup tapes can be greatly reduced by the use of encryption. Iron Mountain is encouraging companies to encrypt their backup tapes before sending them to storage. According to a white paper on the Iron Mountain website: "Encryption of the data on backup tapes is the only effective means of making certain that others cannot read the information on the tapes in the event they are lost." Iron Mountain also recently issued an advisory to its customers to encrypt all backup tapes. According to Iron Mountain, "Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."
To date, there are no specific statutory or regulatory requirements mandating that a certain type of encryption standard be used to protect personal information. There are, however, a number of laws that require companies to undertake "adequate measures" in order to protect their data. California A.B. 1950, for example, requires businesses to implement and maintain "reasonable" security procedures and practices, appropriate to the nature of the personal information to protect the information from unauthorized access, destruction, use, modification, or disclosure. Unfortunately, however, A.B. 1950 does not define what is "reasonable" nor does it offer guidance on how to meet the reasonableness standard.
From discussions with California's State Privacy Officer, it is likely that California will adopt standards that will be based on the security procedures of the Payment Card Industry—specifically the guidelines published by MasterCard International and Visa USA, Inc.
California is not alone in adopting such measures. Sarbanes-Oxley, Basel II, and a number of industry and governmental guidelines recommend that reasonable security precautions be put in place to protect data. In light of Iron Mountain's recommendation that companies encrypt their backup data, it is not too difficult to predict that enterprising plaintiffs will be using such a recommendation to argue that the failure to encrypt sensitive data is, per se, unreasonable.
California law permits individuals to sue for unlawful or unfair business practices. A.B. 1950 does not require an individual to be harmed for a violation to occur. Further, considering that California's SB 1386 requires businesses to notify individuals promptly of a security breach of unencrypted computerized personal information, businesses should anticipate a high level of enforcement actions as a result of A.B. 1950.
A.B. 1950 requires that by January 1, 2005, all businesses covered by the law must have developed and implemented reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification, and disclosure. The law also imposes additional requirements on companies that disclose personal information to third parties.
What Should Businesses and Risk Mangers Do?
There is not one silver bullet. Protecting against privacy and security risks is a process that must be part and parcel of an organization's overall business practices. One of the first steps is gaining a full understanding of how data is used in an organization—and how it is stored off site. Until such a baseline is developed and risks analyzed in light of the data use and sensitivity of the data, any remediation efforts will be piecemeal.
None of us wants to be like the CNN reporter who has to sit and wonder if her personal information has been stolen or lost. Basic and "reasonable" steps can prevent your business from placing your employees and customers in such an awful position. With respect to backup tapes, to paraphrase the late Johnny Cochran, "If it's shipped, you must encrypt."
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.