It’s been a bad year for privacy.
Since February, when identity thieves conned data aggregator ChoicePoint Inc. out of 145,000 personal records that contained Social Security numbers, addresses and credit accounts, there have been upward of 60 incidents involving lost or stolen confidential data, affecting more than 50 million individual files.
The largest occurred in June, when information from 40 million MasterCard and Visa credit accounts was stolen by hackers who broke into the network of third-party transaction processor CardSystems Solutions Inc. Most of the other episodes pale in comparison, but they’re just as potentially harmful to the people whose data was compromised.
But of all the recent, high-profile mishaps, a series of relatively minor incidents has, surprisingly, riled many security experts the most.
The first was in February, when Bank of America Corp. revealed that credit-card information on 1.2 million federal employees had been mislaid en route to a storage facility. A month later, a container of backup computer tapes containing personal information on 600,000 current and former Time Warner Inc. employees was lost in transit between New York City and a storage facility in New Jersey.
On the tapes were Social Security numbers and other data pertaining to such company celebrities as former CEO Jerry Levin and former Chairman Steve Case. Soon after that, backup customer account files belonging to City National Bank, in Los Angeles, also disappeared after they had been put on a truck for shipment to a data repository.
Each of these three cases is still unexplained, and it’s unclear whether the records were stolen or simply mishandled. Moreover, the information on the files doesn’t appear to have been misused by identity thieves—yet. But although little harm appears to have been done by these episodes, they were nonetheless particularly disturbing, because the culprit in each case was Iron Mountain Inc., a Boston-based records-management company that has built a reputation as the premier protector of essential corporate assets.
A mushroom farmer named Herman Knaust founded Iron Mountain Atomic Storage Corp. in 1951, when he converted a depleted iron ore mine in Livingston, N.Y., into the world’s first underground hideaway hardened against even a nuclear incursion. The company’s initial customers were 150 executives from Fortune 500 companies who wanted a safe haven from a Soviet attack. Over the past half-century, Iron Mountain has trucked untold amounts of paper, film, computer media, medical files and X-rays into its half-dozen secret subterranean sites and other facilities, making it the No. 1 guardian of sensitive corporate data, with $1.8 billion in annual sales.
Indeed, Iron Mountain has been so quietly and consistently competent that since going public nearly a decade ago, its stock has increased almost 600 percent—six times better than the S&P 500 Index.
So when Iron Mountain admitted that it, like numerous other financial services, information and data collection firms, had misplaced data it was supposed to protect, the news was, for many, the most tangible evidence that something had gone seriously and systemically wrong with the way companies were handling confidential information. If Iron Mountain can’t safeguard sensitive data, information experts believe, then nothing is safe.
“It’s not totally Iron Mountain’s fault,” says Jim Hughes, a senior fellow at computer storage company StorageTek, which is working with global industries on data security encryption standards. “You have to wonder why these companies didn’t encrypt the data before they shipped it. But whoever was at fault, these incidents took place at a company that specializes in protecting information.
That’s enough to drive home the fact that although companies have a responsibility to protect their own private information, very few are.”
Iron Mountain claims that these foul-ups are anomalies. According to a company statement, “Iron Mountain performs upward of five million pick-ups and deliveries of backup tapes each year, with greater than 99.999 percent reliability.”
But not everyone was buying it. By mid-June the company’s once high-flying stock, buffeted by negative publicity, had dropped to about $28, 20 percent below its 52-week high, though it has since rebounded to $34.
Story Guide:
High Stakes, Few Solutions: Anomalous or not, high-profile data breaches put pressure on CIOs to secure sensitive information; how to do it is far from clear.
- Risky Business:It’s hard to do business at all without complete, centralized customer data, but customers are increasingly wary and vindictive about abuses.
- Security by Design:New legislation will change the environment every bit as much as SOX; will it be enough?
- Semi-Immune from Litigation:Compliance will be a headache, but meeting stated requirements may reduce your risk in the courtroom.
- Privacy in Action:The give-and-take of privacy rules may, for example, force companies to choose between disclosing data breaches, or paying exorbitant insurance.
- Consumer Protection: Congress has taken more than one stab at identity and privacy protection. This table will give you a quick reference to the relevant rules.