Iron Mountain loses another customer tape containing sensitive data

* Iron Mountain sure seems to want to win the Stoopid IT Tricks award

Well, Iron Mountain has done it again! It now leads the pack in my informal scoring of who has been the most capable when it comes to performing Stoopid IT Tricks.

First: the facts, just the facts (read the story on

On April 6, 2006, Iron Mountain - the supposedly "safe" vaulting facility used by many IT managers as an off-site archiving repository - discovered it had lost tapes, which included personal data, such as social security numbers, of 17,000 past and current employees of one of its clients, the Long Island Rail Road (LIRR). On April 26, almost three weeks later, Iron Mountain publicly apologized.

Lost at the same time - apparently not requiring an apology though - were records from the Department of Veterans Affairs, which were also on the same truck.

According to the apology note from LIRR officials to LIRR employees, information on the tapes was "formatted in a way that is very difficult to access without highly specialized skills, specific software and sophisticated computer equipment.

"For all of these reasons, the risk of any person accessing your personal information is unlikely," the letter reads. "At this time, we have received no information indicating that the missing data tapes have been stolen."

And now: the commentary, just the commentary.

The above bit of IT stupidity took place in New York, and I thus find myself in the unaccustomed position of having to defend the rights of Yankee fans. But this is a case where even they deserve better. Much better.

Once again, backup tapes on a truck went missing. Many of you still ship physical tapes off site, and most of you don't encrypt the data before it goes out the door. Alas, it's a reality with which we all have to live.

Of course, I suggest that, whenever practical, you move data electronically. But what should you do if you must ship archive tapes off-site? And what if, because of time constraints, you still can't encrypt this data?

Remember your duty is to protect the integrity of your company's data. In particular, remember the ethical imperative to protect your employees' privacy. At the very least, demand the following of the off-site repository: Whenever media is lost by an archiving site, either in transit or within the company's own facility, MAKE SURE THE REPOSITORY INFORMS YOUR CORPORATE OFFICERS WITHIN 12 HOURS OF THE DISCOVERY OF THE LOSS!

Put a statement to this effect in your service-level agreement, and impose a stiff penalty for non-performance.

Why not discuss this with your management team, and with your contract administrators right now? Then, when it is time for the contract to be rewritten, they will be prepared.

Flame off.

P.S. When IT management drops the ball and the story makes it into the newspapers, it is almost always a security-related issue. Can you verify a case of another bit of IT foolishness? If you want to blow the whistle on another candidate for a Stoopid IT Tricks award, let me know. I promise to follow up on objective, verifiable information from whistle-blowers, to keep informants' names out of the public eye, and to share the silliness with my international readership. Thanks!

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT