BONY Loss Of Backup Tape With Unencrypted PII Is Disappointing…But Not Surprising

Late last week I communicated with Linda McGlasson about a story she was putting together for bankinfosecurity that was published today, “Bank of New York Mellon Investigated for Lost Data Tape: 4.5 Million Customers Potentially Exposed.”
It’s a good and interesting article; check it out.
In Linda’s article there was a quote from Bank of New York (BONY) Mellon’s spokesperson Ron Sommer,

“”There isn’t much point in sending out a notification letter if we don’t have the staff in place to respond to the calls in an appropriate way,” he says.”

Hmmm…so if a large bank, or organization of any size or industry for that matter, has an information security incident involving personally identifiable information (PII), but they don’t think they can handle the calls that would come from the impacted individuals, then they think it is okay NOT to provide notification?
Wow…isn’t the organization clearly putting itself, and not its customers, first with regard to concern by taking this attitude? Their lack of call center folks is more important to them than the customers whose PII they lost?
This seems like they are taking the attitude that, for the customers, ignorance of the incident will be bliss for them…
It also sounds like they need to get an effective privacy breach response plan in place, as ALL organizations need to do.
They also need to know that some U.S. breach notice laws require notification for any incidents involving PII; not all base notification upon likelihood that the PII has been, or will be, misused.
I wonder where their customers were located? With 4.5 million customers you’d think that some are probably located in those states with breach notice laws that require notification in this type of circumstance.
Linda used most of the thoughts I passed on to her. I wanted to provide all my thoughts I shared with her here…

“Regarding the BONY incident, it is disappointing to see such a large institution not taking due care actions to protect PII, but I really am not that surprised. From what I have seen, there are still very few organizations that are encrypting their backup tapes. Plus, while also disappointed with the BONY’s response, I am also not surprised; I think most organizations today would also react in the same way.
Why? Consider the incident:
“On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers — hundreds of thousands of them People’s United Bank customers and investors — and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely.”
Over the past couple of years when speaking with numerous CISOs, CIOs, CPOs and CEOs, I’ve found that most still overwhelmingly do not consider the risk to PII of this type of situation that great because…

  • They do not believe that the “average” person would have the equipment necessary to actually read the backup media, often on tapes that require special equipment. Thus, they do not invest in the technology necessary to encrypt backup data on these types of media.
  • Unless they know the tape was purposefully stolen, they believe it is more likely the tape was just “lost.” They point to numerous reported incidents where this was the case, such as the case a couple of years ago when an ABN AMRO backup tape of mortgage customer info was “lost”, and then they notified all customers, but then they found the tape a few days after their notification; it had simply been misplaced by one of the employees from the location where it should have been stored.

Both of these are certainly possibilities. However, whenever PII is involved that can hurt your customers in any of many ways…trash their credit reports, result in identity theft, or even physical crimes resulting from criminals having home addresses…organizations who are entrusted with customer PII should take responsibility for their incidents and err on the side of being overly cautious.
Investing a few thousand dollars, and possibly even more for an organization the size of BONY, to strongly encrypt any type of PII that is mobile (including on backup tapes), along with providing effective training and ongoing awareness communications to all personnel about how to safeguard information, and establishing a thoughtful information security incident and privacy breach response plan that is consistently followed, is reasonable to expect from businesses who have been entrusted with PII. If they abuse that trust by not doing these activities and then a privacy breach occurs, not only will they lose customer trust, they will also likely lose customers and possibly gain some nasty civil suits.”

Tags: , , , , , , , , , , , ,

Leave a Reply