Skip the navigation

How to avoid 5 common storage mishaps

Blindsided! These companies thought they had their stored data locked tight, but they were wrong. Here's how you can avoid a similar fate.

By Mary Brandel
February 9, 2009 12:00 PM ET

Computerworld - Think you can guess the No. 1 threat to the security of your stored data? If you said hackers, or even trouble-making insiders, you'd be wrong. While malicious threats are an ongoing concern, it's your well-meaning employees who are more likely to unknowingly expose your company's stored data through, say, a file-sharing network or a misplaced laptop.

In fact, a recent Ponemon Institute study found that negligent insiders are by far the biggest threat to data security, accounting for 78% of all breaches.

In this special report, you'll learn the latest techniques for protecting stored data within company walls as well as stored data that flows freely in and out of your organization on laptops, tapes and other movable media.

And don't forget to take the Storage Networking Industry Association's storage security self-assessment quiz and test how well your stored data is protected. Plus, brush up on storage terms with SNIA's online glossary and resource guide.

Data breaches, unfortunately, have become a way of life for corporate America. According to the Identity Theft Resource Center (ITRC), 2008 saw a 47% increase in documented data breaches from the year before. And those are just the ones that made the news, says Craig Muller, an identity theft expert and founder of Identity Doctor in Irvine, Calif. "I get e-mails constantly telling me of breaches," he says.

The public is definitely feeling the pain. In a 2008 study by the Ponemon Institute in Traverse City, Mich., over half (55%) of 1,795 adult respondents across the U.S. said they'd been notified of two or more data breaches in the previous 24 months, and 8% said that they'd received four or more notifications.

But companies are still not sure how to protect themselves. In a Ponemon survey released last month, only 16% of the 577 security professionals who responded said that they were confident or very confident that current security practices could prevent the loss or theft of customer or employee data.

One way to gain confidence is to examine actual breaches and learn from them. Here's a look at five common types of breaches, with advice about how to avoid similar mishaps.

1. Stolen Equipment

In May 2006, personal data on 26.5 million veterans was compromised when a laptop and a storage disk were stolen from the home of a subcontractor working for the U.S. Department of Veterans Affairs. Both items were recovered, and arrests were made. The FBI claimed that no data had been stolen, but the incident prompted sweeping reform at the VA. However, in January 2007, another breach occurred when a laptop was stolen from an Alabama medical facility, exposing personal data on 535,000 veterans and more than 1.3 million physicians.

Costs: By June 2006, the VA was burning through $200,000 a day to operate a call center to answer questions about the breach. It also spent $1 million to print and mail notification letters. It was given permission to reallocate up to $25 million to pay for those costs. Class-action lawsuits were also filed, including one demanding $1,000 in damages for each person affected. After the 2007 breach, the VA set aside an additional $20 million for breach-related costs. And the department recently agreed to pay $20 million to current and former military personnel to settle a class-action lawsuit.

Blinders: Lost or stolen equipment accounts for the largest portion of breaches -- about 20% in 2008, says the ITRC. According to Bart Lazar, a partner in the Chicago office of law firm Seyfarth Shaw LLP, incidents involving lost or stolen laptops make up the majority of data-breach cases he works on.

Eye-openers: Lazar recommends restricting the placement of personal identifying information on laptops. For instance, don't tie customer or employee names to other identifiers, such as Social Security or credit card numbers; alternatively, you can truncate those numbers. Also, consider creating your own unique identifiers by, for example, combining letters from an individual's last name with the last four digits of his Social Security number.



Our Commenting Policies