City National Bank has become the second company in two months to experience a loss of backup tapes in transit by Iron Mountain Inc. The Los Angeles-based bank disclosed Thursday that two tapes containing sensitive data, including Social Security numbers, account numbers, and other customer information, were lost during transport to a secure storage facility.
The bank said the data was formatted to make the tapes difficult to read without highly specialized skills, but declines to say if they were encrypted. It said there's no evidence that data on the tapes has been compromised or misused.
Iron Mountain said it lost the tapes in April. The tapes were in a small container of backup tapes belonging to a Texas-based Internet services provider that hosts applications for City National and other banks. The incident has been investigated by federal law-enforcement officials and no evidence has been found of identity-theft relating to the loss.
In May, Time Warner revealed that tapes containing data, including names and Social Security numbers, on 600,000 current and former employees disappeared in March while being shipped to an offsite storage facility operated by Iron Mountain.
Other lost-tape incidents that have made headlines this year have involved Bank of America, Citigroup, and Ameritrade.
In a letter to customers, City National said it was conducting a comprehensive review of its security procedures. "Clearly, information security is a growing concern throughout business everywhere," the letter said.
Iron Mountain, in a statement, said, "Given the criticality of disaster recovery and the need for privacy protection, we continue to recommend that companies encrypt back-up tapes that contain personal information."
Under California's Security Breach Notification law, companies are required to provide notice of a breach in the security of data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In providing notification, City National did "more than was required" on behalf of our clients, a spokeswoman says.
A bill introduced last month in Congress would require such notification, but exempts companies if a risk assessment conducted with law enforcement determines that the risk of fraud is minimal. It also exempts companies if compromised data can't be used to commit fraud or if the company has a security program reasonably designed to block the data's use for fraudulent transactions.
Only 7% of businesses encrypt all backup tapes, according to Enterprise Strategy Group. Alternatives to backup tapes, such as electronic disk backups, are being used by many companies; Citigroup is starting to use it this month following its tape-loss incident.
AmeriVault Corp., a provider of disk-based backup systems, is recommending that customers prioritize applications for backup purposes and designate the most critical ones for disk backup and less-critical ones for tape. "You don't need to rely on one solution," says AmeriVault president and CEO Bud Stoddard. Prioritization, he says, "allows you to protect 10% to 20% of your data electronically instead of relying on trucks and tapes."