Data Breaches Most Costly When Third-Party Vendors Involved
SAN FRANCISCO, CA – RSA CONFERENCE & EXPO 2012 (Booth 451) – February 27, 2012 – DriveSavers Data Recovery, the worldwide leader in data recovery services, announced today that data breaches are on the rise at data recovery vendors according to the second annual study by Ponemon Institute, a privacy and information management research firm. The study, Trends in Security of Data Recovery Operations, outlines the potential security risks when confidential and sensitive data is outsourced to third-party data recovery vendors. In another study by Ponemon released last month, U.S. Cost of a Data Breach Study, third-party organizations are the most costly data breaches due to additional investigation and consulting fees. The National Institute of Standards and Technology (NIST) recommends the careful vetting of data recovery service providers before sending failed storage devices and critical business data to their facilities.
Businesses and government organizations are increasing their use of data recovery vendors mainly because more drives are having physical failures and IT technicians are not able to resolve those data loss failures with software applications. In some cases, data recovery services are used at least once a week or more. Organizations most often use third-party data recovery vendors when intellectual property, financial information and/or customer/patient data files have been lost. The potential for data breach during the data recovery process increases if the vendor’s security protocols are not properly vetted. Mandated to close job tickets fast, IT desktop and helpdesk support managers typically rank speed higher than security in their selection criterion for data recovery service providers according to the study.
Paul Reymann, CRO at Heit and one of the nation’s foremost experts in regulatory compliance and information risk management comments, “Many companies and government agencies are focused on protecting data on the inside of their organization from outside attacks. Critical data that is so carefully guarded internally is vulnerable to a data breach if third-party data recovery companies are not vetted properly. Hiring the wrong data recovery vendor could lead to compromised or stolen data, network breaches and other material security events.”
“To avoid a very costly, reportable data breach, take the time to evaluate and vet a data recovery service provider before you experience a loss of critical data,” said Michael Hall, CISO at DriveSavers Data Recovery. “Our company provides proof of all our certifications and audits on our website. We have annual assessments of internal data security safeguards and are compliant with HIPAA, FERPA, SOX, GLBA and NIST guidelines. We make it easy for our customers to see that we are a certified, secure data recovery provider.”
Areas Where Data May be at Risk at a Data Recovery Vendor
There are several areas where companies and government organizations may be vulnerable to data breach when using a data recovery service provider.
- Risk of permanent data loss by inexperienced recovery engineers if device is opened and media platters are exposed to airborne contaminants or if software tools are used improperly
- Risk of improper downloading or ID theft of confidential data by unethical engineers
- Risk of outside breach from hackers if data is stored on an unprotected network
- Risk of confidential data exposure if damaged drives are not destroyed with a degausser or shredder
- Risk of viruses or malware being returned with recovered data
Based on the Ponemon findings and NIST recommendation, organizations should have policy and guidelines in place for selecting and using a data recovery service provider. Respondents of the Ponemon studies developed a Data Security Checklist for vetting third-party data recovery service providers.
Healthcare organizations, government agencies and financial organizations are required by law to meet the most stringent data security guidelines and are now requiring third-party data recovery vendors to meet these same guidelines. DriveSavers adheres to the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data at Rest mandate (DAR), the Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).
DriveSavers Data Recovery, the worldwide leader in data recovery services, provides the fastest, most reliable and only certified secure data recovery service in the industry. As the only data recovery company to post proof of annual, company-wide SOC 2 Type II audits and its HIPAA data security compliance, DriveSavers services meet the security protocols for financial, government, corporate and healthcare industries. DriveSavers also adheres to U.S. Government security protocols, the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data at Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). Known for its technologically advanced Certified ISO Class 5 (Class 100) Cleanroom, the company is authorized to open storage devices by all major storage device manufacturers without voiding the warranty. DriveSavers engineers are trained and certified in all leading encryption and forensic technologies. Satisfied customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, St. Jude Children’s Research Hospital, U.S. Army and Sandia National Laboratories.