Originally Posted by
BigMAC
I dont base nothing on assumption's, However nothing is encryted server side ie hosting side, So why should i backup with encryption!
Your server: full control. Third-party backup server(s): no full control.
Own house: leave your bank statements on your kitchen table. Neighbour's house: Don't leave your bank statements on neighbour's kitchen table.
Simples.
Also being that theirs no guidelines for hosting companys to follow, Hence theirs a large number of fly by night hosts who actually dont make remote backup's.
There are guidelines, plenty of them. Most people refer to them as "laws" though.
Whiles your bashing about addresses and postcodes, All is available via domain's on domain tool's which is on show for everyone. (unless your non trading and you choose to opt out like yourself)
About that "unless" part: Exactly! You need consent to give personally identifiable data to any third party - that's why a private person can opt out to giving this consent within the EU/UK (a company is not a private entity, but a public one - so it has no such option).
So if you were to ask for someone's name and address on a website, but don't put in any effort to make sure it's difficult - and hopefully impossible - for this data end up in third parties' hands, then you're legally liable under the Data Protection Act. That's unless the person gave consent to have his/her data provided to the third party, of course.
Encryption offers no bullet proof protection!
It's your duty under the DPA to use "due diligence" in protecting personally identifiable data of EU citizens. Even if it's not bullet proof (nothing truly is), "due diligence" implies every possible measure within your capabilities.
Now, if you don't store any personal data, then fine, take that risk. But if you do store such data, then you're legally obliged.
However the storage of medical files has strict guidelines, We do not host any medical records.
Any information that can directly be traced to an individual is required to be protected under EU and UK laws. A house number + postcode can lead directly to the front door of an individual, and thus needs to be protected unless this person gave consent to make it public or otherwise be revealed to someone.
Either if people choose to hack our WHMCS which has all the data within, Or hack our backup's they will get the same information regardless.
Again, you're in full control over your own server. So if you have taken all possible measures to safeguard the server and the stored data, fine. If you store backup data on a third-party's server, like cPremote / Sysvm's backup servers in the USA (that are not Safe Harbor certified), you really need to reconsider as you're not in full control over them (so you can't guarantee to yourself that its as secure as possible, other than taking their word for it).
This is especially the case since you're backing up data of customers (so you don't know whether or not they have personally identifiable data stored unless you check each of your customer's file beforehand, like doing their web development for instance and thus knowing what goes where).
If OVH were to backup my server's data without encryption or without telling me it's stored outside of the EU, it would be in serious trouble. So why make an exception?
Now, if you still want to do without encryption, alright. But you shouldn't advocate to others that "using encryption on backups is pointless" as you can't assume whatever they store in the backup is safe to keep unencrypted - regardless of how easy it is to decrypt it by brute force or other methods. Hence I'm a bit "bashing" about this... Better safe than sorry.
