Bank of America disclosed last week that it lost digital tapes containing the credit card account records of 1.2 million federal employees -- including 60 U.S. senators. Users and analysts said the mishap highlights the risk of physically moving archived data to storage facilities and will likely feed a movement toward network-based disk-to-disk backup systems.
The data loss, which occurred late last year, also prompted legislators to renew calls for national legislation similar to California's identity theft law, which requires immediate disclosure when customer information is compromised.
"The world has changed dramatically over the last four years, and the more you can eliminate the amount of data being transported around, the more you want to do that," said Bo Coughlin, vice president of the commercial services division at Time Warner Cable. "I don't want Johnny to give a tape to Stevie, who then gives it to Paul, who puts it in his truck to transport it."
Coughlin is overseeing a project to offer subscribers a fully managed, WAN-based backup system to a central repository run by Arsenal Digital Solutions Worldwide. The company is also testing the Arsenal system for internal use, he said.
Coincidentally, Coughlin said he recently received a letter from Charlotte, N.C.-based Bank of America warning him that his personal account information may have been compromised.
Bank of America said it notified the U.S. Department of Defense and the General Services Administration on Feb. 26 that "a few" tapes containing account information for customers of the GSA's SmartPay travel cards were missing. Bank of America spokeswoman Alex Trower said the tapes were part of a larger shipment of media being sent to a backup data center. She wouldn't say if the tapes were stolen or whether the data was encrypted.
Turning to Technology
Bank of America isn't alone.
Richard Fischer, an attorney at San Francisco-based Morrison & Foerster, devotes most of his time to financial privacy issues. He said that in the past three weeks, he has dealt with six cases involving banks whose customer information was compromised.
"Without any question, the banks have been under the microscope [of regulators] and have improved the security of systems," he said. "The problem is, the bad guys keep getting better too. The only solution is more technology."
Paul Rivard, director of IT at Commerce Bancorp, a US$1.2 billion company, said he moved away from tape backup for most of his servers three years ago and began backup over a WAN using third-party service provider AmeriVault.
"We don't have to track all these tapes coming from branches to a central location," Rivard said. "Not only is there greater peace of mind, but we don't have the regulators ... and we don't have to account for tapes in transit, the couriers and missed pickups."
Rivard said he believes that tape backup won't fully go away anytime soon because of the need for long-term archiving but that banks need to take advantage of better methods of securing that data. For example, Rivard began encrypting data on his tapes four years ago at the suggestion of a private auditor.
Bill Bradway, an analyst at IDC's Financial Insights unit predicted that Bank of America will likely put together a team that includes its CIO, chief security officer and chief risk officer to strengthen processes and procedures for ensuring that backup data is safe. The bank will likely move toward transmitting backup data through high-bandwidth networks without the use of tapes, he said.
In the meantime, Bradway said, companies should brace for the regulatory backlash.
Last week, Senate Banking Committee member Jon Corzine said he called on Committee Chairman Richard Shelby and ranking member Paul Sarbanes to hold hearings on the issue of identity theft as soon as possible. Corzine has for the past two years introduced a measure that would require companies to notify the public when sensitive data is compromised.
A spokesman for Corzine said the proposed Privacy Breach Notification Act addresses the lack of notification for "individuals who may have been affected by ChoicePoint and Bank of America."
Bank of America's Trower said that the missing packages and the tapes were "unidentifiable" and that there was nothing on the packages to indicate who they belonged to or where they were going.
"It would require highly sophisticated hardware and software and specific user information to access the data on the tapes," she said.
Trower wouldn't say if the tapes were being handled by a third-party archival service or whether Bank of America is considering changing its procedures for backing up data from physical tapes to high-speed data networks.