When a client’s off-site data storage vendor lost a series of unencrypted backup tapes of credit card databases, Stroz Friedberg was asked to provide a risk assessment as to how difficult it would be for someone who found the tapes to restore and read the data. The client sought this opinion in deciding how to proceed under state data breach notification statutes. Stroz Friedberg brought to bear its unique and industry-leading methodology in this area.
We first focused the client on non-technical considerations, urging the client to conduct a traditional private investigation into the disappearance of the tapes. If the tapes were simply misplaced, the risk of compromise was far lower than if an investigation showed that they were intentionally stolen by an organized crime group engaged in identity theft. On the technical side, Stroz assessed the following factors to determine the difficulty a thief might have in restoring the credit card data: 1) the cost and availability of the back-up tape hardware needed to read the tapes, 2) the cost and availability of the back-up software used to create the tapes, 3) how much credit card data was “in the clear” and readable by simply “dumping” the tape’s data to a hard drive rather than trying to restore that data, 4) whether the volume of the data would pose any difficulty for a skilled attacker, 5) how much of the data was in a compressed or proprietary format, or was spanned across multiple tapes, and 6) what impact the format would have on reading the data.
Given the factors in this particular case, we concluded that an unskilled or medium skilled attacker would likely not be able to extract credit card information from the lost tapes, but that a skilled hacker or forensic specialist would be able to do so with a modicum of effort and money. In most states, companies are exempt from notification only if the lost personal data is encrypted. There may be an interpretation of these statutes that data that is very difficult and expensive to restore is de facto encrypted. At a minimum, an opinion that lost data is very difficult and expensive to restore could be relied on to take advantage of the reporting exemption in a small number of states where there is no “reasonable likelihood” that the loss of the data is going to lead to actual identity theft.