RM vendor recommends encryption after admitting tape loss

RM vendor recommends encryption after admitting tape loss

By Stuart Finlayson

Apr 26, 2005: Following the admission that it lost a customer's backup tapes, records management vendor Iron Mountain is advising its customers that current, commonly used disaster recovery processes do not address increased requirements for protecting personal information from inadvertent disclosure, and is recommending that customers encrypt their data tapes.

In recent months, several companies have disclosed incidents that may have compromised personal information. While most of these cases involved malicious, online identity theft, some of the events were due to the accidental loss of computer backup tapes.

"Iron Mountain performs upwards of five million pick-ups and deliveries of backup tapes each year, with greater than 99.999 percent reliability. Nevertheless, since the beginning of the year, four events of human error at Iron Mountain resulted in the loss of a customer’s computer backup tapes. While four losses is not a large number in comparison to an annual rate of five million transportation events, any loss is important to customers and to Iron Mountain," the company said in a statement.

Richard Reese, chairman and CEO, Iron Mountain, said the company felt it necessary to speak out following the incidences of lost tapes that have occurred in recent weeks.

"The accidental loss of backup tapes poses a potential risk if sensitive information stored on those tapes is unencrypted. Since Iron Mountain stores and manages backup tapes for many major companies around the world, we have fielded questions in recent weeks about these issues. It is our policy not to discuss any specific customers, but given the magnitude of our business, we’re obviously not immune from this type of occurrence. Therefore, we want to broadly address these questions and share our perspective on this important issue."

Whilst pointing out that the company was unaware of any incident in which the physical loss of a backup tape resulted in the unauthorized access of personal information, Reece said it is "important to understand that unencrypted information stored on backup tapes is difficult to read, but it is not impossible. Companies need to reassess their backup strategies and seriously consider encrypting sensitive data to prevent a potential breach of privacy."

Although it is a standard practice for companies of all sizes to create multiple copies of their computer data on backup tapes and move them off site to a trusted third-party so that their business can recover in the event of a disaster, according to a recent industry report from the Enterprise Strategy Group, only seven percent of businesses encrypt all of their backup tapes.

For many businesses, this has been because the encryption process increases the complexity of the backup process and may reduce the reliability of an effective disaster recovery plan.

Nevertheless, disaster recovery planning is critical for all companies. Experts agree that off-site storage of backup tapes will remain an essential component of disaster recovery and other data-management plans.

“Iron Mountain, therefore, is recommending that companies encrypt backup tapes containing personal information, but take care to incorporate encryption in a way that does not compromise their overall disaster recovery plans,” advised Reese. “This announcement is the beginning of a campaign to educate our customers on these important issues so that together, we can start to work toward solutions.”

Related Article:

Lack of backup encryption posing dangerous security risks