Here we go again.
Another massive data breach, this time affecting some 4.9 million active and retired US military personnel. The culprit: an unencrypted backup tape handled by the Science Applications International Corporation, a contractor for the military. SAIC reported the breach of citizen health data to TRICARE, who released a statement two weeks later.
There are situations where the risks of data compromise would seem quite low, such as backup tapes held in a tape vault and inside a protected data center. The urgency to encrypt the data would undoubtedly be reduced based on this lower risk level. Of course, if the tapes are taken outside the data center and transported out in the “exposed world,” then the situation is vastly different. Risks go up exponentially and, unfortunately for some 4.9 million members of the military past and present, the worst was realized when the tape was stolen.
There are caveats, of course. True, the tapes were difficult to read and decipher. And yes, some of the data was encrypted. The organization had also taken “good faith” steps to protect data, in the midst of working on a solution for encrypting all data to ensure compliance with a long-standing federal mandate.
And yet, none of these issues has any bearing on the results of this massive data loss.
The data protection laws are crystal clear about the requirements in these situations: The data MUST be encrypted. The encryption MUST be provable by certifiable evidence, such as defined processes, or, more importantly, the log files must show the exact data and tape ID when the encryption was done. When these requirements are not met, the laws are equally clear that public notification of the loss MUST take place within a specified period and remedies for those who are potentially affected MUST be made.
Every public disclosure of data loss underlines what should be glaringly evident to any organization that has sensitive data stored anywhere: the data MUST be encrypted. More importantly, the encryption MUST be provable in the courts of law. Without both requirements met, the inevitable loss of a laptop or tape is virtually guaranteed to happen at some point. As this case demonstrates, loss of public trust and bad press are sure to follow.