Oops, they did it again. When Ameritrade announced that it had lost backup tapes containing personal information about 200,000 of its customers, there was a clear sense of--in the words of the famous New York Yankee pundit Yogi Berra--déjà vu all over again. After all, just 2 months ago, Bank of America revealed that it had lost tapes containing data for 1.2 million federal employees.
Although troubling on their own, these incidents are just two of what has become a steady stream of announcements from companies admitting that confidential information stored in their data systems might have been accessed in an unauthorized or illegal fashion. During one week in March alone, Boston College sent a warning letter to 120,000 of its alumni alerting them that an unknown hacker might have stolen their addresses and Social Security numbers; thousands of current, former, and prospective students, faculty, and staff at California State University, Chico, received a similar unwelcome announcement; and shoppers at 103 DSW Shoe Warehouse stores learned that credit card and purchase information had been stolen and was being used fraudulently. Just what is going on here?
Part of what's going on is the California Database Breach Act, also known in the world of regulatory compliance as California's SB 1386. Though much of the attention and analysis of the new regulatory impact on information technology has rightly focused on Sarbanes-Oxley compliance, SB 1386, which took effect in July 2003, could ultimately have an even more far-reaching effect on a broader range of companies.
The key provision of SB 1386 is that any business or agency that uses a computer to store confidential personal information about a California resident must immediately notify that individual, upon discovering any breach to the computer system on which this information is stored. Failure to do so could result in civil actions and lawsuits.
Unlike Sarbanes-Oxley, which applies only to publicly held companies, SB 1386 applies to all companies regardless of size that have stored confidential information about even one California resident--either a customer or an employee. Clearly enterprises of all sizes must pay attention, as must companies that do business over the Internet or with California-based clients. Moreover, the sophistication of the computer system on which the data is stored makes no difference. Nor does using an outsourcing provider to store the data protect an enterprise from the legal consequences of a data breach.
Traditionally, security infrastructures have focused on two primary areas: protection of the perimeter and of data in transit. Firewalls, Intrusion Detection Systems (IDSs), and prevention systems have been designed to prevent unauthorized access to computer networks. And protocols such as Secure Sockets Layer (SSL) were used to encrypt data as it moved between different systems. Neither protection mechanism is now sufficient to protect you against liability for a security breach.
The growing number of public disclosures of information breaches has directed attention to the need to protect data sitting in storage systems, which is now called data at rest. Several approaches to protecting data at rest have emerged. One tactic is to install additional layers of security inside the perimeter, closer to the stored data itself. For example, several companies now offer appliances that can monitor and audit databases, issuing real-time alerts when they detect unauthorized activity.
On a second front, storage vendors are increasingly looking at encrypting stored information. For example, IBM recently added encryption to its Data Retention 550 (DR550) compliance-archiving solution by bundling IBM Tivoli Storage Manager 5.3 with it. A handful of smaller companies are also offering encryption solutions.
Encryption, which could help companies meet SB 1386 regulations, isn't a "no-brainer" solution. First, encrypting a lot of data can affect application performance. After all, if data is encrypted, it must ultimately be unencrypted before it can be used. Second, the maintenance of the encryption keys has to be carefully managed. Third, if encryption is used, it has to trickle down to every tier of the storage infrastructure.
Although SB 1386 is a California regulation, it will have national and perhaps international impact. Not only do many observers believe that it will ultimately serve as a model for a national database privacy protection act--indeed Dianne Feinstein, a U.S. senator from California, has introduced such a measure--larger companies that don't have proper procedures in place to deal with its rules might be in violation of Section 404 of the Sarbanes-Oxley Act as well. (Section 404 relates to internal controls.)
For storage administrators, SB 1386 represents a broadening of responsibilities. Data security and protection have to move up the priority list. Storage administrators must see themselves as the stewards of data at rest and respond accordingly.