By Steven Marlin
July 8, 2005
City National Bank has become the second company in two months to
experience a loss of backup tapes in transit by Iron Mountain Inc. The
Los Angeles-based bank disclosed Thursday that two tapes containing
sensitive data, including Social Security numbers, account numbers,
and other customer information, were lost during transport to a secure
The bank said the data was formatted to make the tapes difficult to
read without highly specialized skills, but declines to say if they
were encrypted. It said there's no evidence that data on the tapes has
been compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a
small container of backup tapes belonging to a Texas-based Internet
services provider that hosts applications for City National and other
banks. The incident has been investigated by federal law-enforcement
officials and no evidence has been found of identity-theft relating to
In May, Time Warner revealed that tapes containing data, including
names and Social Security numbers, on 600,000 current and former
employees disappeared in March while being shipped to an offsite
storage facility operated by Iron Mountain.
Other lost-tape incidents that have made headlines this year have
involved Bank of America, Citigroup, and Ameritrade.
In a letter to customers, City National said it was conducting a
comprehensive review of its security procedures. "Clearly, information
security is a growing concern throughout business everywhere," the
Iron Mountain, in a statement, said, "Given the criticality of
disaster recovery and the need for privacy protection, we continue to
recommend that companies encrypt back-up tapes that contain personal
Under California's Security Breach Notification law, companies are
required to provide notice of a breach in the security of data to any
resident of California whose unencrypted personal information was, or
is reasonably believed to have been, acquired by an unauthorized
person. In providing notification, City National did "more than was
required" on behalf of our clients, a spokeswoman says.
A bill introduced last month in Congress would require such
notification, but exempts companies if a risk assessment conducted
with law enforcement determines that the risk of fraud is minimal. It
also exempts companies if compromised data can't be used to commit
fraud or if the company has a security program reasonably designed to
block the data's use for fraudulent transactions.
Only 7% of businesses encrypt all backup tapes, according to
Enterprise Strategy Group. Alternatives to backup tapes, such as
electronic disk backups, are being used by many companies; Citigroup
is starting to use it this month following its tape-loss incident.
AmeriVault Corp., a provider of disk-based backup systems, is
recommending that customers prioritize applications for backup
purposes and designate the most critical ones for disk backup and
less-critical ones for tape. "You don't need to rely on one solution,"
says AmeriVault president and CEO Bud Stoddard. Prioritization, he
says, "allows you to protect 10% to 20% of your data electronically
instead of relying on trucks and tapes."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.