RealTime IT News

Bank's Encryption Pledge Could be Contagious

CitiFinancial's move to digitally encrypt customer data next month in the wake of lost storage tapes could spur other organizations to follow suit, an information security analyst said Tuesday.

Jon Oltsik, of Enterprise Strategy Group, said interest in digital data encryption has picked up in 2005 after a handful of incidents where couriers lost tapes en route from one office to another.

Bank of America had to fix a similar problem in February. Time Warner said last month that it had lost the data tapes for 600,000 customers.

In the new case, UPS lost a box of tapes it picked up at a CitiFinancial facility in Weehawken, N.J., on May 2. The tapes, which contained personal information such as bank account and Social Security numbers of some 3.9 million customers, never made it to their Allen, Texas, destination.

What makes CitiFinancial's case interesting is not so much that the bank, a loan provisions division of CitiGroup, said it was switching to digital, but that it had already planned to do so before the tape gaffe.

"CitiFinancial is planning to send data through encrypted electronic transmission and not through a third-party courier in July," said a spokesman for CitiFinancial. "That was a change that was in the works before this happened."

The CitiFinancial spokesman, who said the data was not encrypted, declined to say what kind of solutions the bank was looking at to encrypt.

But solutions could include anything from services and software from companies like Glasshouse Technologies, Kasten Chase, or Symantec. Fixes might also include storage security appliances and software from vendors like Decru, Vormetric and NeoScale.

Oltsik said CitiFinancial is so well respected in the industry for its attention to security that its promise to go digital could spark a domino effect in other companies who still use tape storage.

"I do think that will spur an action," Oltsik said in an interview. "We've seen an uptick in actions since the Bank of America incident. It's kind of baby steps, but it's movement in the right direction."

Oltsik is basing his opinion on a recent survey he conducted of 232 storage Professionals. In the survey, he asked them if the recent wave of lost or stolen tapes changed their company's approach to security as it pertains to data protection.

Forty-seven percent of respondents said the events have prompted their organizations to take some type of action.

One-quarter of those surveyed said they are reviewing their off-site tape storage provider's policies and procedures; 23 percent have accelerated their deployment of data-encryption technologies; and 19 percent have conducted or plan to conduct a gut-check of their data-protection scheme.

Still there are inconsistencies. Oltsik said ESG's new data indicates that, although actions are being taken, there is some continued apathy and idealistic expectations around storage security.

For example, in the face of recent identity theft and documented storage vulnerabilities, 42 percent of users said that these recent incidents have had no change on their security processes.

The data indicates some security movement in the storage marketplace but does not demonstrate any sense of urgency. ESG believes this is a risky mistake that could lead to devastating consequences, Oltsik said in the brief.

Oltsik sees CitiFinancial taking the other tack, paving the way for other major corporations to up their security around stored data.

"CitiGroup is known as a cutting-edge IT shop. They've been very vocal about a five-year plan they have for security to really lock down their systems and their network," Oltsik said. "So if Citibank comes out and says we will encrypt our data, I do believe that it's a leading indicator that it's time that people really take this seriously."

Oltsik said institutions that embrace security will find themselves with a market advantage over lethargic peers. Moreover, companies can save themselves a lot of grief in being proactive on the security score.

Congressional representatives are breathing down the necks of large corporations that suddenly find themselves in the embarrassing spotlight of stolen or lost customer information.

Senators are urging new laws requiring institutions whose data is not encrypted to advise customers of any lost personal data. California has such a law in place, thanks to Sen. Diane Feinstein.