Tape mishaps drives call for tougher data protection laws

Claiming Australian companies are far too lax when it comes to the protection of personal data, Frost & Sullivan security analyst James Turner says the only solution is the introduction of tough new laws by the federal government.

Zeroing in on the financial services industry, Turner said banks have been "appallingly reactionary" when it comes to security issues.

"The only way to make them play nice is through legislation," he said adding that most of the Australian market is still doing security on a shoestring budget.

Turner's call to action follows a number of high-profile mishaps recently involving lost backup tapes holding credit card information on millions of account holders.

For example, the Bank of America lost digital tapes with information on 1.2 million people including 60 US Senators.

Analysts said the mishap highlights the risk of physically moving archived data to storage facilities and is driving the move toward network-based, disk-to-disk backup systems.

In February, identity thieves gained access to the personal information of 145,000 residents by accessing ChoicePoint which maintains a 19-billion-item database including driving licence numbers and credit data.

Neither organization would confirm whether the data was encrypted and Turner claims that, at the local level there is only piecemeal acceptance of the need to encrypt back-up tapes for stricter security controls.

Turner said this is due to tight budgets and the perception that encryption is just too expensive.

Until Australian companies become legally obligated, he said, back-up tapes will not be encrypted.

However, policy management director at P7 Security, Andre Stein, believes there has been a marked increase in full-scale data tape encryption over the last 12 months but adds it has had little to do with security.

Instead, he said it has been tied to an increased focus on meticulous disaster recovery and business continuity planning.

There is also the need to maintain the integrity of long-term stored data, which may be required by investigators following a corporate collapse, he said.

"Record updating in the private sector is often ad hoc and haphazard - very often encrypted data tapes are not updated, which leads to not only a breach of the law but also inefficiencies due to a company maintaining outdated and incorrect information on its target market," Stein said.

"Very often personal information on customers already held on tape are not updated which is not a breach of the Commonwealth Privacy Acts and various State/Territory Health Records Acts.

"Significant compliance and political risk arises where companies centralize their data storage policies and procedures because different jurisdictions have vastly different data storage and handling laws and policies. It is critical that corporate policies, particularly where companies store their back up tapes outside of their immediate jurisdiction (eg a NSW office storing tapes in the Act or Victoria or overseas realize that different jurisdictions have vastly different data storage and handling laws and policies, and need to be customized for each jurisdiction.

One IT manager at a large financial firm who spoke to Computerworld on condition of anonymity said encryption is important for off-site traffic to an untrusted source.

"But if you store backup tapes on-site they have to be easily accessible; encrypting them can be a real disadvantage to doing business," he said.

"Accessibility and reliability is more important to us, which is why encrypting data tapes is not a priority."

Join the newsletter!

Error: Please check your email address.

More about ACTFrost & Sullivan (Aust)

Show Comments