By Brian Fonseca
October 25, 2007
The loss of unencrypted storage media from an Iron Mountain Inc. vehicle
last month renewed calls for IT managers to better protect data stored
The Louisiana Office of Student Financial Assistance (LOFSA) said the
unencrypted data lost from the vehicle of its contractor on Sept. 19
included the names, birth dates and Social Security numbers of thousands
of state residents.
The state agency, based in Port Allen, La., administers several state
scholarship programs as well as the states 529 College Savings Plan.
Sue Boutte, assistant executive director and chief operating officer of
the agency, this week declined to say whether the unencrypted data was
stored on tape or disk drives. However, she conceded, If you trust your
data to a courier, then obviously something like this can happen.
According to Boutte, the incident occurred while the agency was working
on a plan to encrypt all backup data stored off site.
LOFSA was in the process of developing our disaster and recovery plan,
but [the loss] occurred before we could get it in place and establish it
as a standard plan, she said.
In a statement, Boston-based Iron Mountain blamed the loss of the device
on a driver [who] did not follow established company procedures when
loading the container onto his vehicle. The statement also noted that
the company encourages its customers to encrypt backup data.
In a recent interview, Iron Mountain CEO Richard Reese said his firm is
working hard to eliminate human error by its employees. For example, the
company announced this summer that it is retrofitting its fleet of
trucks with a new self-designed security and tracking system.
A similar incident two years ago prompted TD Ameritrade Inc. to encrypt
all of its backup data, said a spokesman for the Omaha, Neb.-based
financial services firm.
The backup tapes, later recovered, fell off a conveyor belt and became
lost in a shipping facility of an undisclosed contractor. Those tapes
contained personal data on 200,000 Ameritrade clients.
At the time we re-evaluated our [backup] processes and procedures, and
from that point forward, we encrypted [all data] and have taken that
extra level of protection, the spokesman said.
Brian Babineau, an analyst at Milford, Mass.-based Enterprise Strategy
Group Inc., said that IT managers who dont encrypt data are not doing
their jobs. Organizations need to understand that encryption is a
necessity and not a luxury anymore.
This would be the equivalent of not locking your luggage when you travel
overseas or leaving your wallet exposed in your back pocket, he added.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com