Despite well-publicized federal sensitive data protection, Personal Identity Protection (PIP) and Security Breach Notification (SBN) legislation, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB), reports of personal data security breaches due to stolen or missing backup tapes continue to appear almost daily. Disk and tape storage containing sensitive data is released to the public daily when leases on enterprise storage systems expire and are returned to lease holders. No one records how much corporate and personal data is exposed when this equipment is put out into the pre-owned market, but stories abound of disk and tape containing sensitive corporate and personal data being available on eBay. The Privacy Rights Clearinghouse (www.privacyrights.org/ar/ChronDataBreaches.htm) reported at least 80 data privacy incidents in 2006 just through April, affecting potentially 5 million individuals. To date, 33 U.S. states have serious PIP and SBN legislation. The majority join California to require that companies notify customers any time “unencrypted” personal information is lost. Seven of these states went further, requiring secure erasure of all electronic disk and tape storage before disposal.
Ignorance Is No Defense
Current PIP and SBN legislation as well as Payment Card Industry Data Security Standard (PCIDSS) guidelines all impose requirements to erase disk storage/tape media before disposing of it and harsh penalties when unencrypted private/sensitive data is lost, stolen, or can’t be accounted for. “Unencrypted” means when either the data isn’t encrypted or is encrypted with a key that also has been compromised. This campaign to protect personal identity information also is fueling a new aggressiveness on the part of federal regulatory agencies; the Federal Trade Commission (FTC) recently imposed penalties totaling $15 million on one corporation for failure to meet its data protection obligations. What does this mean for your organization? Don’t be caught unaware or become a victim of circumstance. Instead, be proactive and ensure you’re on the right side of the law. Review your current data protection, business continuance, and business resiliency software to ensure you meet today’s stricter requirements.
Protect Data Leaving Your Control
Traditionally, large enterprise mainframe customers have had no difficulty meeting regulatory obligations concerning protection of sensitive data. They’ve had well-thought-out disaster recovery plans, regularly scheduled rehearsals, and security access control systems that prevent unauthorized access to private and sensitive data under their control. The focus of the new legislation and industry standards is to ensure an equally high level of protection for sensitive and private data that’s on disk and tape leaving their physical control.
The challenge of securing disks and tapes that leave the enterprise can be met with available software solutions that efficiently encrypt backup and Business-to-Business (B2B) data exchange files, securely erase data on tape volumes, and securely erase data from enterprise disk systems.
Encryption Technology: Science and Mathematics
The science of cryptography has ancient roots. Encryption is simply converting information from its normal form into something incomprehensible, rendering it unreadable without secret knowledge. Initially a means to ensure the secrecy of military leaders’ and diplomats’ communications, Julius Caesar is credited with inventing a simple substitution cipher. The scientific advances of the early 20th century brought the introduction of electro-mechanical devices capable of significantly increasing the complexity of encryption, including the infamous Enigma machine. During World War II, the Axis powers entrusted the Enigma with their most secret communications. The Allies’ breaking of the Enigma encryption keys, an “ultra secret” during the war, was never publicly acknowledged until 1974.
The complexity of the Enigma’s substitution codes is still overwhelming, even today. The number of encoding positions (permutations) possible on the electro-mechanical Enigma machine is 2 x 10145; written out, that’s the number 23, followed by 144 more digits. The Enigma’s strength was illustrated in a February 2006 news story which reported that 2,500 PCs took more than a month to decrypt an Enigma coded U-boat message, previously unbroken for more than 60 years.
Modern Encryption Algorithms