Encrypting Backup Data

Last December I received a letter from my mortgage company informing me that a backup tape was missing that contained personal information, payment history, and social security numbers of their customers. They were offering free credit reports and a credit monitoring service from one of the big credit bureaus. I don't know exactly how many people were affected by this, but I assume it was many thousands. This must have been incredibly embarrassing and expensive for the company.

In fact, in 2005, there were several other incidents where backup tapes had been lost or fallen into the wrong hands. I suspect that this has gone on for a number of years, but the companies who lost the data probably didn't make it public. There are several laws now which require companies to inform affected parties in a timely manner when sensitive data is mishandled. This information usually makes the national news and causes the company who was responsible great losses in confidence and in many cases the financial impact is devastating.

There is absolutely no excuse for this. Sarbanes-Oxley, HIPPA and other regulations require that backups be maintained off-site for disaster recovery purposes. Even without the regulations larger companies have auditing and business continuity requirements that call for off-site storage of data. Most professionally run IT operations pay intense attention to security; physical access to servers, authenticating access, encryption of data transmissions... However, it appears that some are perfectly willing to put sensitive information in plain readable form on a backup media, and then hand it over to another party to transport it and store it.

There is a very simple solution to this problem and it is hard to believe that some companies are ignoring it. Encrypt the data before it is sent off-site. If you do that, then a lost, stolen, or mishandled tape has very little consequence. The encryption technology is readily available and cost relatively little to implement and maintain.

Smaller businesses are not usually as diligent about backup and recovery as large corporations, but the loss of data or the disclosure of sensitive information can be even more devastating. A single embarrassing incident, or lawsuit can easily put them out of business. I have talked to quite a few small business owners and some medium sized companies about their data backup practices. In most cases, the plans are inadequate at best. In a lot of cases employees are expected to copy data to a cd, tape, or portable disk and take it home with them. First of all, those plans are not reliable and are subject to error and neglect. Second, sensitive data may be rolling around in the trunk of someones car, and easily accessible by mechanics, car wash workers, parking attendants and who knows who else.

It is rare that home users store backup data off-site. Most don't even backup their data in any reliable way. While data loss on a home non-business computer may not be as costly as a loss of business data, the loss can be very painful and costly. The value of data on home computers is increasing with the new ways that people are using computers. Backup is usually an oversight, until they suffer a loss. And everybody will suffer a loss eventually. Home computer users should consider using a reliable backup system and storing their valuable data away from their home. Home computer users should also ensure that their off-site backup data in encrypted because an identity theif would likely find more than enough information on your backup media to open new accounts in your name.

The best way to solve the problem of off-site backup and security of backup data at the same time is to use a high-quality online backup service that encrypts the data. This solution works well for business and home users alike. Good online backup systems are fully automated so now the backups are reliable and the data is encrypted and stored off-site all at the same time. Select an online backup service provider that stores your data in a professionally managed data-center and make sure your data is transmitted and stored in encrypted form. There are plenty to choose from, Rhinoback is a good choice that I am familiar with, and the cost is very reasonable for home and business users.

1 comment:

iDeals vdr due diligence said...

If data becomes exposed due to theft or loss, companies face damage to their reputation as well as the possibility of heavy fines from government agencies. That’s why i'm recommending to make encryption a standard component of their backup process when data need to travel offsite.