How to avoid 5 common storage mishaps

Blindsided! These companies thought they had their stored data locked tight, but they were wrong. Here's how you can avoid a similar fate.

Blinders: Lost or stolen equipment accounts for the largest portion of breaches -- about 20 percent in 2008, says the ITRC. According to Bart Lazar, a partner in the Chicago office of law firm Seyfarth Shaw, incidents involving lost or stolen laptops make up the majority of data-breach cases he works on.

Eye-openers: Lazar recommends restricting the placement of personal identifying information on laptops. For instance, don't tie customer or employee names to other identifiers, such as Social Security or credit card numbers; alternatively, you can truncate those numbers. Also, consider creating your own unique identifiers by, for example, combining letters from an individual's last name with the last four digits of his Social Security number.

Second, require personal information on laptops to be encrypted, despite the potential cost (US$50 to $100 per laptop) and performance hit that involves, says Lazar. This needs to be accompanied by consciousness-raising, says Blair Semple, storage security evangelist at NetApp and vice chairman at the Storage Networking Industry Association's Storage Security Industry Forum. "I've seen situations where people had the capability to encrypt but didn't," he says. "Scrambling the bits is the easy part; it's the management and deployment that's hard."

Third, Lazar recommends policies requiring very strong passwords to protect data on stolen devices.

2. Insider Theft

In November 2007, a senior database administrator at Certegy Check Services, a subsidiary of Fidelity National Information Services, used his privileged access to steal records belonging to more than 8.5 million customers. He then sold the data to a broker for US$500,000, and the broker resold it to direct marketers. The employee was sentenced to over four years in jail and fined US$3.2 million. According to company officials, no identity theft occurred, although affected consumers received marketing solicitations from the companies that bought the data.

In another high-profile case, a 10-year veteran scientist at DuPont downloaded trade secrets valued at US$400 million before leaving the company in late 2005 to join a competitor in Asia. According to court records, he used his privileged access to download about 22,000 document abstracts and view about 16,700 full-text PDF files. The documents covered most of DuPont's major product lines, including some emerging technologies. The scientist did this while in discussions with the competitor and for two months after accepting the job. He was sentenced to 18 months in federal prison, fined US$30,000 and ordered to pay US$14,500 in restitution.

Costs: In DuPont's case, the estimated value of the trade secrets was more than US$400 million, although the government pegged the company's loss at about US$180,500 in out-of-pocket expenses. There was no evidence that the confidential information was transferred to the competitor, which cooperated in the case.

According to Semple, theft of customer information is nearly always more costly than theft of intellectual property. In Certegy's case, a 2008 settlement provided compensation of up to $20,000 for certain unreimbursed identity theft losses for all class-action plaintiffs whose personal or financial information was stolen.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about ACTBillionCarnegie Mellon University AustraliaCERT AustraliaDepartment of JusticeDuPont AustraliaFBIFederal Trade CommissionFidelity NationalMastercardMellonNetAppNetAppPfizer AustraliaPLUSSNIAStorage Networking Industry AssociationUS Department of JusticeVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Mary Brandel

Latest Videos

More videos

Blog Posts