Author: Brenden Doyle, Senior Consultant
As of March 1st 2010 all companies that have electronic information that is classified as personal information for a Massachusetts resident must protect that information from a possible data loss situation per 201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH. What does this mean for corporations?
Unlike Sarbanes Oxley, which forces corporate entities to take specific actions to ensure compliance with stated regulations, the Massachusetts Data Protection Regulation (MA 201 CMR 17) requires a corporation's "best effort" to ensure certain types of data are protected to the best of your ability.
This subtle change in wording places the burden squarely on the corporate entity for protecting personal information, but leaves much up to interpretation. While non-compliance with Sarbanes Oxley is potentially defensible in court by corporations who say the requirements are financially burdensome, the new 201 CMR-17 law centers on the answer to the question "Did you do everything within your power to protect this information?" This can lead to uncomfortable questions about cost per technical feature, such as "Is $50,000 too much of a financial burden for a company that had XX amount of profits last year to protect a customer's personal information?" This is not a line of questioning any corporate attorney wants to face, and certainly not following a public data breach.
Many incidents of backup tapes being lost are well documented. The size of a data breach from the loss of a set of backups can be astronomical. With the high capacity tape media available today, an LTO 4 drive can realistically hold over a terabyte worth of data. Just one tape could contain the entire HR database or sales and customer information for a whole quarter. With so much data contained on a single piece of media, the loss of a box of tapes could mean the loss of corporate records for an entire week, month, quarter, or year, depending on the backups lost.
This is why everyone is scrambling to ensure that any backup tape stored offsite is encrypted. The burden of proof will be squarely on the holder of the personal data to ensure everything reasonably possible was done to prevent that data from being compromised.
Backup tapes are routinely shipped offsite with a third party vendor to provide a level of protection from potential disasters. But without some form of encryption, there is no way to ensure that the backups cannot be comprised once they are no longer in your custody. There are a couple of options for accomplishing this today. NetBackup, for example, has both a client-side and a media server encryption option which allows the IT administrator to choose where and when to encrypt data. If all of the personal information that would require encryption is local to a single server, then encrypting at the client may be sufficient. If there are multiple servers containing personal information, the media server encryption may be more efficient.
Another popular method of encrypting backup data is to use an appliance or an LTO4 encryption- capable tape drive. Both client-side and media server encryption methods have a direct performance impact on the server doing the encryption. The appliance model removes the performance impact from the servers and maintains the proper compression ratios, offering the best of both worlds for a premium price.
With all of the encryption solutions available today, key management is the biggest concern. The encryption keys used to encrypt the data need to be protected even more securely than the data once encrypted. Maintaining the keys is a specific challenge requiring both protection of the keys and a secure method of recovering the keys in the case of a disaster. Most of the key management software solutions available provide a method of regenerating the encryption keys through the use of a passphrase. This allows the exact same set of encryption keys to be regenerated by entering the passphrase into the utility.
Daymark recommends a dual method to protect the encryption keys. As keys are not changed very often, we recommend the actual database pieces containing the keys in the key management software be burned to a CD and stored separately from the encrypted backups. A disaster recovery container stored with the offsite host vendor is highly recommended. This container should hold operating system CDs, the DR plan, the emergency contact list and the encryption key CD as well as the passphrase in case the keys need to be regenerated. This will provide a way to protect the data in an encrypted format without storing the keys with the backup tapes. And, importantly, this allows you to successfully answer questions about Mass 201 CMR -17 compliance!