It was a rocky end to 2007 for data-storage leader Iron Mountain. The Boston-based company had two high-profile cases of tape loss to close out the year, including one that required GE Money to notify 650,000 potentially exposed customers. Five years after California passed its data breach notification law that became a de facto national standard, the case raises the question: why are banks still trucking around backup tapes, and why is Iron Mountain still losing them?
About 19 percent of banks rely solely on tape for backup storage, says Enterprise Strategy Group analyst Lauren Whitehouse, which conducted a cross-industry study of backup storage practices in January. But many banks are opting to use a combination of tape and disk or electronic storage. In 2004, only one-quarter of banks used a combination strategy; today, more than two-thirds do, Whitehouse says.
Only 13 percent of financial institutions backup solely to disk and less than one percent use only electronic vaulting, according to ESG. Still, IDC predicts that the hosted backup storage market will reach $715 million in 2011, from just $235 million last year.
There are two reasons why tapes remain the industry standard, says Adam Couture, principal research analyst at Gartner: money and bandwidth.
While pricing is complex, it typically costs under a $1 to store one gigabyte of data on tape compared with $4 to $7 per gigabyte for electronic storage. ESG estimates that in a three-year study of total cost of ownership, the tape cost $13.08/GB and disk $12.99. The cost for electronic was three to four times more expensive.
On the bandwidth side, "depending upon the size of your type, it's going to limit how much data you can backup," Couture says. "It's a rule of thumb they top out at a terabyte, terabyte-and-a-half...You can only push so much data through that pipe."
When it comes to disaster recovery, Iron Mountain's America's division President John Connors argues that physical tape storage is still best practice. "The physics of it are that it's still faster to put the tape in a truck, drive it across town and get it over to the system and have it uploaded from there, than [employing] the bandwidth that would allow you to restore that system over the wire," Connors says.
But which poses more of a financial risk, a natural or man-made disaster blocking access to electronic backup files, or a simple lost tape and the millions spent notifying customers and offering identity theft protection services? Couture believes that electronic storage is far safer than its counterpart. "There are a number of risks. The biggest, obviously, is where the tape is lost or stolen," he says. "Iron Mountain, unfortunately, has had more than your fair share of those."
EVault, whose direct customer base is 20 percent banks, is perhaps the top electronic data-storage provider, according to Couture. The company's director of product management, Patrick Dowlaszewicz, says that electronic storage is indeed safer than manual.
"If you look at the entire spectrum of security, the more touch points you have in the handling of the data, the more risk you have in terms of things happening outside of what you expected," Dowlaszewicz says. "Essentially, it is not just a matter of fact that those [cases of data loss] will happen. We will prevent those things from happening...by removing the human intervention where possible."
Which brings the issue back around to Iron Mountain. The company is the largest data-protection business in the world and manages about 50 million tapes for about 40 million customers including about 80 percent of the Fortune 500, Connors says. This includes more than five million tape deliveries per year, and a nearly flawless reliability rate, Connors says.
The devil is in the .001 percent, perhaps. News stories over the past couple of years indicate that Iron Mountain has been involved in at least four major cases of data loss; the company wouldn't release an exact number (Iron Mountain encourages customers to encrypt data, but does not mandate it).
But Connors' stance is that, by-and-large, big news stories about lost backup tapes are a case of much ado about nothing. While not entirely trivializing these cases of data loss, he says there are not believed to be any cases of identity theft from the breaches.
The problem is that data breach laws don't distinguish between a hack and a lost tape. "There has been a little bit of hysteria around this because companies are trying to meet the letter of the law," he says.
Meet the letter of the law, yes, and then pay for incident response. Research by the Ponemon Institute found that institutions spend an average of $239 per record in the wake of data losses. If the Iron Mountain/GE Money tape loss followed the average it would mean spending $155 million to handle the incident. GE Money spokesperson Richard Jones says that the company still uses Iron Mountain which has "taken steps to improve our physical and technical controls."
But not all Iron Mountain's customers are willing to share the blame or shoulder the costs. After Iron Mountain lost tapes containing a decade's worth of Louisiana students' financial aid applications this fall, the State Office of Student Financial Assistance fired the company in favor an electronic vaulting system that costs about 18 times more than the $5k Iron Mountain charged. Reports indicate the state is also trying to recoup some of its incident response costs.
(c) 2008
