Iron Mountain has lost their fair share of backup tapes over the years. Enough to end up in the headlines more than once, but it hasn’t seemed to affect their business. Heck, they even issued a press release calling for their clients (and everyone else) to encrypt their tapes.
According to this article (picked up via SANS NewsBites), after another tape loss leading to a public disclosure the State of Louisiana is switching to an alternate provider and may sue Iron Mountain.
Look, we all know mistakes happen and tapes will fall off the backs of trucks. Even in New Jersey. But in cases like this one there is clearly shared responsibility.
I’ve heard Iron Mountain isn’t always as diligent about handling tapes as they should be. When you have hundreds, maybe thousands, of trucks roaming the country not every driver will stick to the standard.
On the other hand, if you’re playing with Social Security or credit card numbers, and you aren’t encrypting, you’d better make darn sure you have some other risk mitigation in place. Did the Louisiana Student Financial Assistance Commission evaluate and audit Iron Mountain’s procedures? Did they consider the risk of a lost tape? Did they have Service Level Agreements guaranteeing no lost tapes?
Iron Mountain clearly has some responsibility, but I suspect there’s nothing in the contract to allow their customers remediation. On the other hand, their customers need to recognize that despite the marketing, Iron Mountain will lose a certain percentage of their tapes.
My recommendation is if you’re handling data that, if lost, will land you in the headlines, you need to encrypt it or keep it off the tapes. I get asked a lot about all those tapes in archives, and I think diligent asset management is more realistic than trying to encrypt everything already locked away.
If you can’t afford encryption or to change your practices, understand you are implicitly accepting a level of risk. Even if you find someone willing to guarantee you they’ll never lose a tape, when they do it will be your company’s name in the headline and theirs in the second paragraph.
Reader interactions
One Reply to “Should Iron Mountain Finally Pay For Losing Customer Data?”
Iron Mountain is providing a service. That service is storage unless otherwise stated in the contract. My understanding about Iron Mountain is that they are good because they provide a nice, comfortable, environment for archiving materials. Added security bonus comes from remote location and access constraints. But unless the company purchasing their services specifically addresses the need for extra protections necessary to insure the security of their tapes by Iron Mountain the purchasing company has to take the responsibility themselves.
In my opinion this comes from the security professionals not being involved enough in the purchasing process. Unless you have somebody on the staff asking the right questions the issues are not going to be addressed. Data security policies should ensure that all contracts involving sensitive information be reviewed by a security professional, at the very least. The best scenario, however, would be to include the security professional in the entire purchasing process to ensure that the requirements are build in the Request For Proposal (or whatever method the company is using).
Go forth and do good things,
Don C. Weber