Last week I opened my newspaper (yes, I still read the news on paper) to see a report of, once again, a major data breach caused by a batch of backup tapes being lost in transit to the warehouse. At the very least, I had hoped that the system administrators at large organizations that hold the most personal of all information would have gotten the word to encrypt their backup tapes, but this piece of news and the results of our InformationWeek Analytics Backup Survey have proven me wrong.
In our survey, only 18 percent of respondents reported that they encrypt all their backups to removable media, while an astounding 56 percent reported they don't encrypt their backups at all. Given the massive costs an organization can incur when it loses even a single backup tape, and how easy it is to encrypt your backups, I find it mind boggling that backup administrators still don't encrypt.
In most states, an organization that loses a backup tape containing personal information--such as the credit card numbers from your Website or Social Security numbers and birth dates from your HR system--is legally required to notify all the people whose data has been lost. Imagine how much work it would take for you to even figure out what data was on the tape, who was affected and how to contact all those people within the 60 days the law gives you to send out notices.
In the case I read about in the paper, the New York Health and Hospitals Corporation (HHC), which runs the public hospitals in the city of New York, had a contractor pick up a box of backup tapes on Dec. 23. While making a later stop on his route, the courier left the truck unlocked, and the HHC tapes were stolen. Even though the tapes had database backup data on them and it would require some sophistication to retrieve the data from the tapes, the HHC was required by law to notify the 1.7 million people whose personal data was on those tapes. They sent out letters in 17 languages--New York is a diverse place, after all--and are offering identity theft protection, which, while not required by law, is becoming the standard response.
According to the Ponemon Institute, the average cost of a data breach is over $200 per compromised record, so the HHC is out about $350 million. That money would have been much better spent on a key management system and some more patient care. Don't let this happen to you. Encrypt your backups.