Tales of the Tapes

The Hole | Let’s not forget the good ole data tape—in particular, CitiFinancial’s now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers’ data was on those tapes, including their names, Social Security numbers, account numbers and payment histories.

The Problem | CitiFinancial has stated it "[has] no reason to believe that this information has been used inappropriately." But on the other hand, there’s no reason to believe that it won’t be.

There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former U.S.-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other "events of human error" that resulted in the loss of customers’ backup tapes—and these are the guys who supposedly are all about security and nothing else.

The Solution | In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. Though "you can squeeze a lot more data into a truck than you can over the wire," Couture of Gartner Research says, "[sending data electronically] could be cost-effective for smaller companies with small amounts of data." Citigroup’s new shipping method will also take much of the people part out of the equation. "Any time you have to touch that tape and add a human element in the process, there’s the potential [for] incompetence, malfeasance, and pure and simple stupidity," Couture says. (For more on solutions to identity theft, see "New Locks, New Keys" on Page 88.)

How Much for a BlackBerry?

The Hole | This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping $15.50.

The Problem | The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report.

The Solution | First, users with handhelds, laptops and other devices need to be made to understand what’s really at stake. "It’s not the laptops that are the issue; it’s what’s on them," says For-rester’s Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management—even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. "If you have 1,000 users, there should be 1,000 accounts," says the CISO of a large Midwestern financial services company. "So why are there 1,400? Because people who have left still have authority to log in." According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for "data cleansing," but this exec must have slipped through the front door.