Data Backups with Third-Parties – CompTIA Security+ SY0-401: 2.2

All of your data may be well protected in your data center, but what happens to the data on your offsite backups? In this video, you’ll learn about managing data backups with third-parties and what problems you could face if your data backups are not properly handled.

<< Previous Video: Data Ownership and Unauthorized Data SharingNext: Security Policy Considerations with Third-Parties >>


Our data backups are one of those things that we don’t really think about unless we need them. When we delete a file or we need to reconstruct a system that’s crashed, we always go back to our backups. But the rest of the time, we’re not really taking them into account– at least not from a security perspective. And we absolutely should, because our backups have every single bit of data that was on our system, and now it’s outside the scope of where we normally think of having that data stored.

Even if we’re performing these backups ourselves, it’s very often that we store this information off-site, which makes perfect sense from a security perspective. That way, if anything happens to our local environment– the building burns down or there’s a flood that comes through– our data was somewhere else, and we’d be able to recover from that information. But usually this off-site facility is managed by a third party. So there’s another example of how a third party might have access to this very important data.

As these data files are stored and then moved from one site to another, there are sometimes concerns about the data getting lost. There’s often many, many tapes that are being transferred back and forth. The third party organization that’s handling storage of that at their facility probably also handles storage for many other organizations as well. And all too often, information can be stored or filed in the inappropriate places, which makes it now difficult to retrieve later on.

Of course, the data stored on the backups may be very different depending on what you’re backing up. If you’re backing up a public data server so that you can restore that information later, that information is relatively open and anybody has access to it. But a database backup that contains financial information or health care records not only has very important data on it, but it should probably be handled a bit differently than information that might be public.

Here’s a good example of why it’s so important to manage your backup data. In September of 2011, a third-party government contractor was doing their normal backups of information, and unfortunately have the backup tapes stolen from their car. Unfortunately, this backup data was from members of the US military, and it contained health care information. This contained health care information for over 4.9 million people in the US military. And it had important information such as social security numbers, the names of these individuals, and clinical notes associated with their health care.

If you’re thinking to yourself that health care information should have probably been handled differently due to federal regulations, well you would be correct. But in this particular case, the contractor believed that the oversight of this data fell under the Federal Trade Commission and not information that would require that they handle this information according to HIPAA rules and regulations.

This particular incident has resulted in at least two separate class action lawsuits– each one of them asking for $4.9 billion in damages. This is just a very large example of things that can happen, but it really speaks well to how important it is to manage your backup data.