Bank’s Encryption Pledge Could be Contagious

CitiFinancial’s move to digitally encrypt customer data next month in the
wake of lost storage tapes could spur other organizations to follow suit, an
information security analyst said Tuesday.

Jon Oltsik, of Enterprise Strategy Group, said interest in digital data
encryption has picked up in 2005 after a handful of incidents where couriers
lost tapes en route from one office to another.

Bank of America had to
fix a similar problem in February. Time Warner said
last month that it had lost the data tapes for 600,000 customers.

In the new case, UPS lost a box
of tapes it picked up at a CitiFinancial facility in Weehawken, N.J., on May
2. The tapes, which contained personal information such as bank account and
Social Security numbers of some 3.9 million customers, never made it to their
Allen, Texas, destination.

What makes CitiFinancial’s case interesting is not so much that the bank, a
loan provisions division of CitiGroup, said it was switching to digital, but
that it had already planned to do so before the tape gaffe.

“CitiFinancial is planning to send data through encrypted electronic
transmission and not through a third-party courier in July,” said a
spokesman for CitiFinancial. “That was a change that was in the works before
this happened.”

The CitiFinancial spokesman, who said the data was not encrypted, declined
to say what kind of solutions the bank was looking at to encrypt.

But solutions could include anything from services and software from companies
like Glasshouse Technologies, Kasten Chase, or Symantec. Fixes might also
include storage security appliances and software from vendors like Decru,
Vormetric and NeoScale.

Oltsik said CitiFinancial is so well respected in the industry for its
attention to security that its promise to go digital could spark a domino
effect in other companies who still use tape storage.

“I do think that will spur an action,” Oltsik said in an interview. “We’ve
seen an uptick in actions since the Bank of America incident. It’s kind of
baby steps, but it’s movement in the right direction.”

Oltsik is basing his opinion on a recent survey he conducted of 232 storage
Professionals. In the survey, he asked them if the recent wave of lost or stolen
tapes changed their company’s approach to security as it pertains to data

Forty-seven percent of respondents said the events have prompted their
organizations to take some type of action.

One-quarter of those surveyed said they are reviewing their off-site tape
storage provider’s policies and procedures; 23 percent have accelerated
their deployment of data-encryption technologies; and 19 percent have conducted
or plan to conduct a gut-check of their data-protection scheme.

Still there are inconsistencies. Oltsik said ESG’s new data indicates that,
although actions are being taken, there is some
continued apathy and idealistic expectations around storage security.

For example, in the face of recent identity theft and documented storage
vulnerabilities, 42 percent of users said that these recent incidents have
had no change on their security processes.

The data indicates some security movement in the storage marketplace but
does not demonstrate any sense of urgency. ESG believes this is a risky
mistake that could lead to devastating consequences, Oltsik said in the

Oltsik sees CitiFinancial taking the other tack, paving the way for other
major corporations to up their security around stored data.

“CitiGroup is known as a cutting-edge IT shop. They’ve been very vocal about
a five-year plan they have for security to really lock down their systems
and their network,” Oltsik said. “So if Citibank comes out and says we will
encrypt our data, I do believe that it’s a leading indicator that it’s time
that people really take this seriously.”

Oltsik said institutions that embrace security will find themselves with a
market advantage over lethargic peers. Moreover, companies can save
themselves a lot of grief in being proactive on the security score.

Congressional representatives are breathing down the necks of large
corporations that suddenly find themselves in the embarrassing spotlight of
stolen or lost customer information.

Senators are urging new laws requiring institutions whose data is not
encrypted to advise customers of any lost personal data. California has such
a law in place, thanks
to Sen. Diane Feinstein.

News Around the Web