As many as 100,000 people could be affected by the loss of three backup tapes belonging to the Peninsula Orthopaedic Associates. Patients of the POA have been advised to protect themselves from financial and medical identity theft. The use of backup tape encryption software, like file encryption from AlertBoot, would have been pivotal in curbing the chances of a major crime occurring; however, it looks like such data protection measures were not used in this case.
The tapes were lost en route to an off-site storage facility, the move, no doubt, being an arrangement to safeguard the tapes. Information on the tapes included Social Security numbers, employers' and health insurance numbers, and possibly medical information.
It's not news that things get lost while transported to their final destination. And I'm not even talking about courier services like UPS or FedEx. For example, almost one year ago, Perpetual Storage lost a backup tape--which didn't use encryption--that belonged to the University of Utah. The backup tape was stolen from a Perpetual employee who was assigned to pick up the tape and take it back to the storage facility.
And, there's no guarantee that a tape won't go missing once it reaches the storage facility, either, which GE Money found to its chagrin when a backup tape went missing from a storage facility. Again, backup tape encryption was not used--and why would it be? It was assumed to be safe behind locked bars.
The presence of people--in other words, monitoring--to stop theft is one key aspect of data security, as well as the presence of locked doors and other barriers: if a computer, tape, or CD cannot be stolen, the data contained in them cannot be breached either. However, history shows us time and time again that monitoring cannot be effective 100% of the time: People go on breaks, someone drops the ball, people clock out early, security cameras have blind zones, etc.
I'll admit that in GE's case above, using file encryption on backup tapes would have represented going beyond what's required to protect data. In other words, one would have had a hard time finding people to agree that encryption software was necessary.
For cases like Perpetual and the POA case above, though, you'll probably find a good number of security professionals stating that the data should have encrypted. The reason? It's that much easier to lose something when moving around. Not to mention the chances of something being stolen when it's out and about.
Related Articles and Sites:http://www.delmarvanow.com/article/20090411/NEWS01/904110363http://www.wmdt.com/topstory/displaystory.asp?id=12557http://www.wboc.com/Global/story.asp?S=10164887&nav=MXEF