Tuesday, December 16, 2008

Think you can trust your IT executives or staff with company data? Think again.

A direct marketing firm alleges that their former Vice-President of IT took a backup tape containing names and information on 3.2 million clients, including credit card and bank account information on 800,000 customers. The tape was encrypted but it contained information and programs to decrypt the data. Besides, if the VP of IT was involved, don’t you think that he’d probably have the decryption key or would know where to obtain it?

Interestingly, the CEO of the company reported to the Breach Blog within hours after the blog’s post that the “stolen” tape had been “recovered” and was being examined by forensic experts to determine if the data was accessed.

With a whole host of new “disclosure” laws impacting most states, your company should be thinking about how it manages personal identifiable information (PII) of customers, vendors, employees etc. Increasingly with more technology able to hold so much data, one lost laptop or exposed disk may create a huge liability for the company. Sounds like this company, like many companies, could use policies and procedures regarding backup tapes, including a backup tape log and limits on access.

Are you kidding me?