Data Loss Recovery: Risk and tech managers need to coordinate third-party use

(Part one of two)

You may not believe it or even realize it, but there is a good chance that the people responsible for maintaining your bank's electronic gadgets probably have had to send them outside the bank to third-party data recovery vendors in order to retrieve lost or corrupted data files.

Such files could include all sorts of sensitive customer or personnel records. Once the data recovery engineers have managed to put the ones and zeroes back in their proper places by physically opening the devices, rebuilding the drives, and reviving the memory banks, those records would be open to anyone to read. The question is, how vulnerable does this make your bank to data breaches?

So asks Lynda Martel, executive director, DriveSavers Data Recovery Inc., during a session at ABA's Risk Management Conference.

The danger, she says, is that, from her company's experience and from research commissioned through the Ponemon Institute, risk managers and security professionals typically do not realize that devices containing sensitive information routinely are sent out of the bank's control.

She knows that this occurs because her company alone works on 80 drives a day, or up to 25,000 a year, sent by financial institutions, health care offices, and government agencies.

Meanwhile, because of the proliferation of devices in the workplace, the data recovery industry itself has ballooned, bringing with it a significant number of startup companies whose security procedures may be lacking. While hers is one of the largest and oldest of such companies, it's estimated that companies less than four years old make up 90% of this $1.5 billion annual revenue industry.

"There is [likely] a disconnect within your organization that creates a gap that puts your data at risk," she says.

There is a sharp distinction between data loss recovery and disaster recovery. The latter is mainly a procedure to access data that's been backed up at some offsite location. What she's talking about is data that's lost when an individual laptop, computer, or mobile device is damaged either through accident or malicious attack.

"We're all walking with our devices today. We can bump them. We can drop them. We can spill coffee on them. It's amazing how many iPhones wind up in the toilet," Martel says.

When such a misfortune happens, the case of the gadget has to be opened by trained people working in a clean room, such as what NASA uses for space-borne devices. Parts may have to be replaced or repaired. The storage drive may have to be removed, repaired, and spun up in an apparatus so that the data can be run through special programs which eventually reconstitute the information. Then that information is archived and returned to the owner.

The thing is, says Martel, the higher level security professionals surveyed by Ponemon tended to have contrary perceptions of what is happening in their organizations. The survey found that these people had the perception that: The company never loses data; data is always backed up; if data somehow was lost, the company would never send out failed drives to third parties for recovery.

Meanwhile, the IT professionals at those same companies had this to say: Drives do fail; data is often lost; drives are sent out to third parties for recovery as often as once a week or even more often.

Martel cited these results from the Ponemon survey of 769 IT professionals:

• 80% of data loss/corruption is due to physical device failure.

• 85% have used and will continue to use third-party data recovery service providers, up from 79% in 2009.

• 37% use more than one such provider.

• 39% use providers once a week or even more often.

The first step to addressing this risk management mismatch, Martel says, is for bank management to check on the situation within their organization and find out if such a gap exists.

(In Part 2, the proliferation of vendors, the importance of vetting potential data risk vendors, current standards and best practices, and steps to mitigate the risk.)