Another week, another few million confidential records lost

It's beginning to get a little too routine. Nearly every week, some well-known, highly respected financial institution a) loses, b) misplaces, or c) has in its possession stolen confidential consumer financial data.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

The week of June 6, it was CitiFinancial's turn in the penalty box. The consumer finance division of Citigroup is in the process of sending out notices to some 3.9 million US customers that computer tapes containing information about their accounts -- including Social Security numbers and payment histories -- have been lost.

This, I suspect, will not put these 3.9 million customers in their "happy place."

The tapes were lost during a routine shipment from a datacenter in New Jersey to a credit reporting bureau in Texas. Isn't just about everything that's between New Jersey and Texas lost by definition? If the tapes are sitting out in the scorching Texas summer sun somewhere, have no fear about them being used for anything more nefarious than tarring a roof.

In a statement, CitiFinancial said it "had no reason to believe that this information has been used inappropriately, nor has it received any reports of unauthorized activity." Haven't we heard this somewhere before? As Yogi Berra said, "It's deja vu all over again."

CitiFinancial joins a list of distinguished Fortune 500 companies -- including TimeWarner, Bank of America, and Ameritrade -- that have compromised the confidential information of their customers and employees.

Technically, CitiFinancial did not lose the tapes. UPS did. It reminds me of that last scene in Raiders of the Lost Ark, when the much-sought-after-and-fought-over Ark of the Covenant gets put in a huge government warehouse next to Einstein's brain. Somewhere there is a warehouse full of corporate data sitting next to Deep Throat's flower pot.

There is one difference between what happened at CitiFinancial and the other recent data losses in transit. Unlike other companies, Citibank made it clear in its statement that the company had plans to begin encrypting their credit bureau information. Wow, if you can teach dogs to sit, maybe corporations can learn security, too!

Citigroup, CitiFinancial's parent corporation, began a companywide effort last year to eliminate the physical shipment of data tapes after losing a batch of tapes in Singapore (OK, so it takes a couple times to get it right).

Bob Cramer, president and CEO of LiveVault, a disk-based online backup and recovery provider, is adamant about the need for encryption. "Companies need to stop risking the security of their data and fix the problem, especially since technology exists that eliminates the risk of backing up data to tape," he said. LiveVault advocates a mandate that all personal data stored by publicly traded companies be encrypted.

Although Cramer's suggestions work well for data storage, plenty of issues remain when it comes to live data. Recent security incidents at Bank of America (not lucky in the security department) and Wachovia, where employees stole customer data and sold it to debt collections firms, show that "inside" jobs are still the most dangerous.

One company offers a bit of help against insider jobs: Vontu. Vontu 4.0 monitors network traffic and stops messages that violate security and privacy policies from being sent.

But if I were an IT manager for a publicly traded company, I would start my security plan with what to do in the case of lost customer data, because it almost looks more like it's not a question of if it will happen, but when.