Data Breach Laws Go Coast-to-Coast

Imagine this scenario, you are sitting in your office enjoying your morning coffee when you are called into an emergency meeting and told that a backup tape containing customer's personally identifiable information has been lost. How you react to this revelation is obviously based on what steps, if any, you have previously taken to protect the customer information of your company's clients. So do you calmly notify everyone that all backup tapes are encrypted and thus customer information is safe and your company is not at risk? Or do you start checking websites to find out what the criminal and financial penalties are for storing unencrypted customer information on tape?

Companies do not consciously make decisions to lose money, lose customers, or hurt shareholder value, but if they are not taking the proactive data security step of encrypting your data at rest on backup tapes that is exactly what they are doing. Companies are quickly finding out that taking the proper steps to encrypt data at rest is much cheaper than the alternative. Consider:

• Costs associated with notifying customers. A 2007 study done by the Ponemon Institute, LLC, showed the average cost of a data breach in 2007 was $6.3 million dollars. The study showed that data breaches cost companies $197 per compromised customer.
• Costs associated with damaged reputation. An interesting comment from the study was a quote that stated "consumers seem to be less forgiving when their personal information is compromised". Basically once you lose your reputation with your customer they start looking to move on to your competition.
• Costs associated in trying to lure back lost customers. Also noted in the study were lost business opportunities, including losses associated with customer churn and acquisition, which represents the most significant component of the cost increase.

In addition to the intangible costs of lost customers and damaged corporate reputations, state and federal governments are stepping into the arena and bringing tangible costs into the equation. Ever since California's SB 1386 went into effect in 2003, it has set the precedent for data breach notification laws and most other states have now followed California's lead with Iowa recently becoming the 43rd state to pass a data breach law. The federal government also has several bills pending such as the Leahy-Specter Bill and a competing bill introduced by Sen. Feinstein. Therefore it stands to reason that if federal and state governments are taking this issue seriously that tape encryption is an issue your company cannot afford to ignore.

Under California's SB 1386, as with most of state notification laws, "safe harbor" is given to notifying customers if data on missing backup tapes is shown to be encrypted. On the flip side, if a company cannot show customers' data was encrypted and personally identifiable customer information was stored on a lost, misplaced or stolen tape, then chances are a company will be required to notify those affected customers. Even worse, if a company cannot ascertain which customers were affected, then it might be subject to notifying each and every customer.

So, why have so many states given safe harbor to encryption? Currently, it is the best option in protecting your customers from identity theft. Encryption is quite simply taking plain text and making it unreadable to anybody who does not have the proper key to decipher the text with proper key control is a critical factor in your data protection strategy. In forthcoming blog entries, we'll take a closer look at the encryption capabilities of the latest Linear Tape Open (LTO) tape technology as well as Quantum's centralized key management approach called Encryption Key Manager (Q-EKM) in terms of how they addresses immediate corporate concerns about both tape encryption and proper key management so companies can satisfy these emerging legal and financial concerns.