In mid-March, lawmakers in Washington were busy grilling executives from Bank of America Corp., ChoicePoint Inc. and LexisNexis about recent breaches of security that led to personal data of hundreds of thousands of people ending up in the wrong hands.
In most cases, the data had gone out “through the front door” as it were — with criminals masquerading as legitimate users of ChoicePoint and LexisNexis services. As they all now race to guard the front door, I couldn’t help but think about the new “back door” (being built into many businesses) — third-party back-up services.
As the current examples (and many others) illustrate, it is difficult enough to protect data when one has complete control over it. With the surge in popularity of third-party online back-up services, how will that complicate an already-complex issue?
For decades, “backup” meant spooling off tapes, managing various media and retention dates and, ultimately, shipping back-up tapes to physically secure locations using the services of a company such as Iron Mountain.
Recently, though, companies such as LiveVault Corp. came on the scene to offer services that eliminated the tape and the travel by backing up your disk to their disk over a WAN connection. In one stroke, they solved the “offsite” problem (i.e., needing an emergency copy at a safe location) and the myriad issues related to tape management. Tape, of course, remains a vitally important component of backup, but that’s another column.
But — and you knew that was coming — putting a third-party back-up company into the mix creates at least the possibility of a back door through which data can be compromised.
Interestingly, there is a LiveVault LexisNexis nexus. Last September, LiveVault announced that LexisNexis would offer the former’s services to the latter’s legal and business customers.
So let’s play what-if and run through some hypothetical scenarios using these companies as placeholders: While data transmitted to a LiveVault can be encrypted across a VPN, it would appear that when the data reaches the “secure, remote facility,” it sits on the disk in all its unencrypted glory. I don’t know of many small businesses or law offices that keep their data encrypted on their in-house servers.
I could be wrong, but I couldn’t find any reference on LiveVault’s site that declared that the stored data was safe from any potential miscreants who happened to have access to the “secure location.” In theory at least, someone either hacking into said location or a criminally minded data-centre employee could walk off with a goldmine of data. After all, providers of online backup are likely handling data for perhaps hundreds of companies.
So should something get out through the back door, which of the companies involved is liable for the damage incurred? If you are the law firm whose records have been compromised, do you sue LexisNexis or LiveVault? And one wonders what their response would be. Would they simply try to put the blame on you saying that you should have stored sensitive information encrypted? Probably.
Given the growing popularity of these services, it would be nice to see prospective customers asking these tough questions and vendors addressing these issues head on.
