COLUMBIA, S.C. - Credit unions not encrypting backup tapes are not alone. Currently, only about 6% of financial services organizations do, according to research firm Enterprise Strategy Group, but that number could quickly be rising, if it isn't already. The reason is fairly obvious. Among the reports of lost and stolen account numbers and other personal data at large banks, brokerage houses and government agencies that have been filling the news lately are several that involve the loss of unencrypted backup data tapes. Currently, the NCUA doesn't require encryption of backup tapes, but some credit unions don't intend to wait. "We encrypt," Butch Leonardson of BECU says simply. "It's easier to encrypt tapes than it is data that's being used in real time, and it's something we've been doing for the past 18 months or so. "Our backup tapes are being driven to storage by a third-party who hires guys driving little delivery trucks. They ain't delivering pizza. We encrypt." Doing so has turned out to be both easy and economical, adds Leonardson, vice president of IT at $5.4 billion BECU. "I know when we started doing it, none of our staff suddenly started asking for more money to be budgeted for it," he says. In most cases, it's not been employees of the financial institutions themselves responsible for the data loss. For example, Iron Mountain, the nationwide secure storage outfit whose client list includes banks, credit unions, trading firms and more, has confirmed losing track of four sets of backup tapes, while in the case of CitiFinancial, the tapes were lost while in transit through UPS. Regardless, the financial institution is ultimately responsible for what's on them and should have long been taking the basic step of encrypting backup tapes before they leave the building, says Carl Faulkner, a principal with Cornerstone Advisors in Scottsdale, Ariz., consultants to credit unions and banks. "It's the easiest thing in the world to encrypt those files," Faulkner says. "Heck, some of the storage software programs give you the option to do it right when you write to the tapes. It's just not something that's been done." Will that be changing? CitiFinancial, in the wake of losing the personal data of millions of customers, plans to soon begin encrypting, and Faulkner says he advises credit unions to follow suit. "Right now the NCUA and other banking regulators are not requiring encryption of backup tapes, but that could be changing. You might as well figure out how to do it now, since somewhere down the road, it's going to be required," Faulkner says. That "somewhere" may be sometime soon, if lawmakers like Ed Markey get their way. The Massachusetts congressman notes that online banking data already is encrypted, and told USA Today last week that he intends to ask agencies such as the FTC, SEC and others if they have the authority to require all financial institutions to encrypt all data. That, along with negative publicity, erosion of public confidence and tangible financial losses from such incidents, may create a business need for encrypting backup tapes that heretofore hadn't existed. "The need for encryption just hasn't been obvious, and there's a cost involved in adding that functionality to databases and creating those algorithms that up until now hasn't made sense as far as ROI," according to Sophie Louvel, research analyst at Financial Insights in Framingham, Mass. Louvel says that financial institutions already have been securing data more aggressively internally and now expects encryption of data backup tapes to follow. She also points out that encryption isn't necessarily bulletproof and that electronic transfer of data to backup storage may be the better solutions. Doing Away By Doing Without? Indeed, one way to avoid encrypting backup tapes is to not ship them at all. That's the case at Purdue Employees Federal Credit Union in West Lafayette, Ind. "We've had questions from some members, valid concerns about how secure our data are, and I can tell them that we transfer our backup data in encrypted form via FTP to our own disaster recovery center, and it's dual stored on our network," says Gail Koehler, senior vice president of technology at $411 million PEFCU. "It's something we felt like we should already have been doing, and we took care of it six or seven months ago when we did a UNIX conversion and data migration here," Koehler says. PEFCU is a particularly tech-savvy outfit, but what about all those credit unions who rely more heavily on their core provider of technology, their core processor, to guide them through these dangerous new waters? Hugh Butler, senior vice president with Fidelity Integrated Solutions' Credit Union Services Division, says online data backups can be pricey for smaller credit unions, a market segment he got to know well with the former Computer Consultants Corp., a core processor for 600-plus credit unions that was bought by Aurum Technology shortly before Aurum itself was bought by Fidelity National Financial. So instead, they generally use tapes. Some are automatically encrypted by their systems while others aren't, and some CUs rely on community-based network services providers to provide them that service, or take advantage of the hospitality of their home SEG. "We have clients at hospitals and universities and public utilities departments where the credit union is located that provide security expertise, but that can raise questions of control," Butler says. "Guess what comes with control? Responsibility. And how much responsibility can you really delegate?" Butler adds: "I really don't know how many of the managers at our client credit unions are taking the trouble to review their encryption policies and do their disaster recovery drills, but I suspect not as many as ought to be. "Of course, we also tell them they can simply shift over to our Mercury on Demand ASP service and we'll take care of all this for them in an offsite environment." Another specialist in serving small credit unions, FedComp, says its system password-protects data tape backups in a way that only the company's own software can open it. "That way, if someone were to get their hands on it who shouldn't, they would have to have our program to do anything with it," says Mike Shiner, CIO at the 1,400-client technology provider in Fairfax, Va. That's the 1,200 or so credit unions using FedComp's Windows-based TNG platform. Those on the old DOS-based system, interestingly enough, are on a proprietary platform producing data that most potential fraudsters wouldn't even recognize, Shiner notes. "We have a couple things going for us, regardless of which platform they're on," Shiner says. "We deal with smaller credit unions, so we're not a CitiBank, we're not a prime target. Of course, as so many of these cases of lost or stolen data show, sound security can often depend on an institution's people as much as its technology. "The greatest vulnerability is all the social engineering going on, the stuff that attacks the wet ware, the gray matter," says Tom Giangreco, information security officer at $5.5 billion Orange County Teachers FCU in Santa Ana, Calif. One of the easiest ways remains to simply encrypt the data that's going out, something that has never really been front of mind in financial services circles until now. "For 30 years or more, we've been creating backup tapes and sending them off, never giving thought to the fact that people can do something with them," says Faulkner at Cornerstone Advisors. "Well, it's getting attention now," he says. -

[email protected]