Does the bank have to encrypt backup tapes that are transported to another location (one of the branches)? Or is this part of the stronger identity theft laws effective in November?

GLBA, the new id theft regs, and other federal and state privacy regulations require non-public personal information (NPPI) be protected from unauthorized access at all times. These regulations place constraints on how data is stored, processed, and transmitted.

The FFIEC Information Security Booklet states that financial institutions should “employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”

Per recent interpretations of GLBA, “password protection of this data is not sufficient to mitigate the risks – encryption technology must be used to secure the exchange of NPPI over a public network.”

If your tapes are lost or stolen in route or once it arrives at its final destination, encryption would give you comfort that the data is protected. To reduce regulatory risk and reputation risk, I would highly encourage encryption.

We are planning to put backup tape encryption in our 2009 budget. Our regulator told me that while encryption is not required, it is strongly recommended and encouraged. Until we implement encryption, our independent I/T auditor suggested that we create an inventory and tracking system of all backup tapes. This way, we should know where our tapes are at all times.