No More Lost Backup Tapes: Chain of Custody Security Measures

Sending critical backup tapes to a storage facility isn't as simple as placing a package on a truck. Here are four points to consider when you're securing the chain of custody for your backup data.

August 01, 2005 — CSO — When Bank of America disclosed in February that its courier service had lost backup tapes containing data on about 1.2 million federal employees—including names and Social Security numbers—consumers, senators and even some industry peers asked how there could have been such a lapse in security. No escort for the air transport? No encryption of the tapes? No documented chain of custody?

So in May, when Time Warner revealed that couriers at its storage management provider, Iron Mountain, had lost a cooler-size container of computer tapes—holding personal, unencrypted data on 600,000 current and former employees—while it was en route to a data storage facility, it served as a chilling reminder that these aren't isolated incidents and that security processes need to be revised. More proof came on June 6, when United Parcel Service confirmed that it had lost the financial data of nearly 4 million Citigroup customers while computer tapes were being transported to a credit bureau. And on July 5, national media outlets reported that Iron Mountain had lost two backup data tapes with the personal and financial records of an unspecified number of customers of the City National Bank of Los Angeles.

The transportation of backup tapes, the dominant medium for archival data storage because of its low cost compared with other storage options, such as optical disks, has emerged as a very public weak link in the information security custody chain. Moving sensitive data from the office to delivery service to storage provider straddles both IT and physical security roles. And for many companies, there is no real owner of the entire process, no clear means of authenticating the identity of some data handlers and no guaranteed means of getting data from point A to point B.

This summer, the Geneva-based International Organization for Standardization (ISO) is set to release updated standards for IT security guidelines for backup, management and disposal, and for physical media in transit. (The official name is ISO/IEC 17799.) But in the meantime, CEOs and boards of directors are clamoring for safeguards against the bad publicity and threats to customer information that these incidents bring.

Although investigators at the U.S. Secret Service consider the backup tapes from Bank of America, Time Warner and Citigroup to be lost because no fraudulent activity has been traced back to the data so far, security officers can't rule out future incidents in which the information could be stolen. "Nobody knows what happened to [that data]. Maybe somebody just put it in a closet somewhere, or maybe somebody took it home. But you really don't lessen your risk" by speculating, says Randy Moulton, chief security officer for the City of Charlotte, N.C. The city contracts with a third-party vendor, which Moulton prefers not to name, to store sensitive data on its 5,000 employees. He says that any transport arrangement carries risks and that "it could totally happen to us."