Senator Dianne Feinstein from California reintroduced bills S.139 and S.141 this week which aim to define what to do in case of a data breach. InternetNews reports on the story with an interesting twist.

Bill S.139 would require companies to notify both media and persons affecting by a data breach without an unreasonable delay. The question becomes, what constitutes an unreasonable delay? Does the time it takes to put together a spun press release constitute an unreasonable delay? Paul Davie, from Secerno makes a few statements pointing out the glaring oversites in the language of the bill.

Bill S.141 aims to prosecute the misuse of Social Security Numbers with the help of the Secret Service. I'm not sure if many people are aware, but Identity Theft is one of the pervues of the Secret Service as it falls under the investigation of major fraud on behalf of the US Treasury Department.

Both are at least steps in the right direction but both seem to fall short of the mark. Business in the United Stated is operated under the free market principles of Capitolism with a few exceptions due to regulation. One of the ideas behind capitolism is that is leaves the market flexible enough to adjust to overcome obstacles that businesses face. In some cases, regulation is required to make businesses do the right thing for their customer rather than the right thing for the immediate bottom line.

The problem we face in the current marketplace is that many businesses fail to take a long term view at what is best for the bottom line. I think in almost all cases, what is best for the customer is best for the bottom line when looking at the results in the long term. Instead, many companies look to the immediate gains to be had by cutting corners.

The failure of many companies to encrypt their backup data is a prime example of this case. In the short term it can be costly to convert a backup system to include encryption. In fact, the procedural changes alone for very large companies could cost in the hundreds of thousands of dollars aside from the technology acquisition. However, in the long term it would behoove these companies to make the change and encrypt their backup data since so many breaches occur each year. If a company does not encrypt their backup data it is only a matter of time before a breach occurs. If they are following the rules, they need to inform their customers of this breach which would result in falling customer confidence as well as outright losses in business. If there are no more customers to consume a businesses services, it is bad for the long term financial forecast.

This is not rocket science. This is just common sense. I have used large companies as an example in this post but smaller companies are not exempt from such concerns. In fact, every retail outfit that captures customer data is at risk if they are not following a backup plan that includes encrypting their data. The good news is that for small businesses, it is much easier and much more affordable to make the change.

What Can You Do?

Choose better software. Many software suites include encryption. The majority of them require you to perform some special steps to enable the encryption but it is there all the same. Even the software vendors that don't include encryption in their backup software will usually have an add-on that incorporates encryption.

Choose better hardware. Flash drives are a poor backup medium no matter what software you use to perform the backups. Flash drives are small and can be lost very easily and quickly. Removable Hard Drives, while cheap, tend to fail much quicker than most other backup mediums. The worst possible outcome is that your backup fails when you really need it because of a bad hard drive. I have seen this more times than I care to count. Recovery in most cases can cost upwards of $1500 and in some cases around $3000 for invasive recovery of removable hard drives. Tape is a fairly safe medium but it requires dilligence to make sure the tapes don't go bad at a critical moment.

Choose a better solution. It is pretty much a given that I will suggest Internet Backup as my company offers Internet Backup services. However, in most cases it is a cheaper method of backup than all other options. Internet Backup includes all of the software, hardware and labor needed in one small monthly payment. Since the payment is monthly, it is more manageable than outright purchasing a major overhaul of hardware and software. Since it includes all necessary labor from the Internet Backup vendor, you don't need to hire your tech support company to perform the backups. In many cases this can save you more money than it costs on a yearly basis.

Make a resolution this year to keep your customer data safe from breach. Encrypt your backups.

-The Concierge

From the article:
InternetNews Coverage of the Bills

---