I on occasion get asked whether the data that is stored in call center systems, such as audio recordings and screenshots, is also regulated. Lately I have been asked if there is some way to easily find just the sensitive information in audio or video files and encrypt or hash it without affecting the rest of the data.
At first I thought this a strange question. It is the kind of question where I have to wonder if the person asking already has the answer but they hope for some kind of miracle or change in the laws of physics that will save them a huge headache. Then I came to hear about a massive breach that involved 57 hard drives with call center data.
The Blue Cross Blue Shield story is tragic. The Eastgate Hard Drive Theft has cost over $7 million thus far and required nearly six months of dedicated forensics work to clarify who is affected. A press release from BCBS revealed more than a half million customers had their information on the drives.
As of February 18, 2010, the total number of current and former members having been identified remains at 521,761, with 220,133 members in the Tier 3 category and 301,628 members in the Tier 2 category.
The tiers are set by risk level, meaning the amount of data exposed. Tier 3 is the highest risk with name, social security, date of birth and address.
Throughout the press releases, stories, and official breach letter it is hard not to see a clear theme of encryption. Although some may have continued to question how best to secure call center data up until now, this breach essentially puts the discussion in a whole new light. The use of drive or full database encryption for systems with audio and help files like screen-shots will from this point on have a much more clear risk profile. In fact, it now will no longer be sufficient to encrypt. I expect pressure now to rise to remove sensitive information from the audio files altogether, or prevent it from being archived. The PCI security standard under Requirement 3.2 is already headed this direction.
This also reminds me of the RAF incident last year.
The breach involves audio recordings with high-ranking air force officers who were being interviewed in-depth for a security clearance. In the interviews, the officers disclosed information about extra-marital affairs, drug abuse, visits to prostitutes, medical conditions, criminal convictions and debt histories — information the military needed to determine their security risk. The recordings were stored on three unencrypted hard drives that disappeared last year.
Time to raise the bar and introduce better controls for media storage.