Back in 2006, a computer tape from a Connecticut-based People’s Bank containing personal data on 90,000 customers was lost in transit. The tape contained information such as names, addresses, social security numbers and checking account numbers. While the bank claimed that no unauthorized activity on the affected accounts was reported, you can imagine what kind of backlash and repercussions would have ensued if it had.
Financial institutions, such as credit unions, must follow stiff legislation that requires them to develop written security plans to protect confidential member records from both digital and physical threats. The security plan must demonstrate that the program put in place will protect confidential records against unauthorized access as well as physical destruction.
As you can see from the example above, tape-based storage – in which data is saved onto a number of backup tapes which are then physically transported to an off-site storage vault – is not only a labor-intensive process, but also inefficient and unsecure. If a natural disaster occurs, those backup tapes could be washed away along with confidential unencrypted customer information.
So why do credit unions continue utilizing costly and disaster-prone solutions like tape backup? The answer might be in the legislation itself. The National Credit Union Association has issued a Code of Federal Regulations that talks about the protection of credit union’s member information, referred to as the NCUA CFR 12, part 749 that discusses record preservation programs that credit unions should follow.
Within the guidelines established by NCUA is the requirement for offsite data storage so that member information can be accessed or retrieved in case of a disaster. What the regulation doesn’t specify is the type of technology that should be used.
And so we encounter credit unions using legacy backup technology and sending tapes offsite as a method of records preservation without realizing that this type of data protection also lacks the capability of being really useful in case of a disaster. When you take into consideration:
- The time to request tapes stored offsite
- Turnaround time to actually get the tapes from the offsite location
- The setting up of new server and hardware to be able to retrieve data from tapes
- The time it takes to actually retrieve data after a new IT environment is setup
You are easily talking about days – if not weeks – that will have gone by until the data is ready to be accessed.
When IT managers at financial institutions like credit unions stop to calculate the time and costs associated with managing tape backup, they quickly realize that it is not the best technology to be used when data integrity and quick recovery timeframes are required.
So if you are in the financial sector or have clients in the industry, talk to them about their recovery point objectives, recovery time objectives and do an honest assessment of your current capabilities versus your company’s or industry regulation requirements. You may be surprised to find out that your backup is not really protecting your organization from downtime.