In yet another unbelievable story of data irresponsibility, the Bank of New York (BNY) Mellon lost two sets of unencrypted backup tapes containing private data belonging to 4.5 million individuals. Third-party vendors misplaced the tapes during transport to off-site locations. According to the bank, the tapes "included shareowner and plan participant account information, such as name, mailing address, Social Security number, and transaction activity."
Responding to the bank's delay in reporting one incident, which took place on February 27, 2008 but was not disclosed until the end of May, Connecticut Governor, Jodi Rell, said:
The disastrous effects of identity theft are virtually instantaneous in today's computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation.
BNY Mellon's chief risk officer, Todd Gibbons, said the bank now plans to improve security related to backup tapes. From Computerworld:
To bolster its security controls, the bank said it will now require that any confidential data written on tapes or CDs for transport must be encrypted or transported with undisclosed additional data protections. Further, when "technically feasible," the bank will demand that encrypted confidential data be delivered to off-site facilities electronically, noted Gibbons.
After exposing 4.5 million people to identity theft, it seems the notion of tape encryption suddenly popped into their heads. In my opinion, BNY Mellon should fire Todd Gibbons immediately for this serious breach of public trust and fiduciary responsibility. Think my perspective is too severe? Then see stories about identity theft victims, such as those described on privacyrights.org.
I continue to believe strong legislation and strict penalties, including the threat of jail time, is the only way to solve this common problem. If HSBC, the UK's largest bank, is willing to send out unencrypted data, then this is truly a massive issue. Industry self-policing has not worked and it's time the government enacted preventive regulation.