Re: time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)

[security curmudgeon <jericho () attrition org>]

: Let's say we do look at the commercial carrier, and the carrier offers 
: insurance against loss and the customer either chooses the insurance or 
: waives the insurance, most commercial carriers will make insurance 
: available, offered with disclosure that if a package's worth is more 
: than insurance will cover the carrier can refuse to carry the package, 
: based on what the customer has disclosed.  Interesting....

Which leads to, what did BNY (or others) claim the backup tapes were 
worth =)

Even if you go with a conservative estimate that one 'identity' is worth 
less than 20 bucks (recently stated in a paper), that is still a lot of 
money if the tapes have a million records. I really doubt BNY is 
declaring the tapes worth that much.

So we have a system of couriers, off-site storage and backup providers 
that seem to be a serious weak point in the data security. Taking this 
one step farther, what if the tape *is* encrypted using really strong 
encryption and the tape is lost. Does the company have to warn customers?

If not, will that lead to companies claiming strong encryption 
regardless, knowing that the odds of the unencrypted tape being 
discovered is very low, then falling back on "error in backup process, it 
should have been encrypted" claims?
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml