Does Lost Computer Tape Equate to Lost Data?

How to Define "Data Security Compromise"?

Computerworld reports that the State of Ohio spent $3 million to remedy the breach of data security resulting from loss of a backup computer storage tape. The computer tape was sitting temporarily in an intern's automobile. The tape held sensitive (unencrypted) data such as social security numbers on thousands of state employees and taxpayers. Most of the $3 million went to giving the affected individuals free credit protection service . . .

Waste of Taxpayer Money

The expenditure of $3 million to deal with this security incident is nuts. The compromise of the tape's physical security does not necessarily mean that the data on the tape had been compromised or even threatened with compromise. What's the likelihood that a thief who steals something from a car is going to possess the equipment, knowledge, talent, patience and courage necessary to read the tape, figure out how to abuse the data on it, and then undertake the risky business of actually committing identity theft? My sense is that the likelihood is very low.

The skills needed to commit successful identity theft are very different from the skills needed to make an opportunistic theft of the contents of an automobile.

Some data breaches are serious, and some are not. This one doesn't sound serious. The $3 million went down a rat hole.

Lost Backup Tape:  What's the Big Problem?

Question: Are readers aware of any documented case where a lost backup tape led to identity theft?


--Benjamin Wright

Mr. Wright, a practicing attorney, teaches the Law of Data Security and Investigations at the SANS Institute.


[Postscript: My friend Mich Kabay has been writing about customs agents inspecting laptops as their owners cross international borders. Someone asked Mich whether an enterprise has suffered a data breach requiring notice if it gives a decryption key to customs so it can inspect the contents of a laptop containing personal information. My response: Some people unwisely set a low threshold for considering data to be compromised or for requiring the delivery of a breach notice. It would be ridiculous to say that cooperation with law enforcement (i.e., duly-authorized customs officials) constitutes a data security breach!]

Update: See my analysis of a breach notification where data on stolen laptop are encrypted.