All backup and archival media containing customer data, personally identifying information (PII), protected health information (PHI) should be in secure, environmentally-controlled storage areas owned, operated, or contracted for by your organization. If backup media (e.g. tapes) stored offsite, the media should be encrypted and tracked.
Backup media has all the data that your organization has on its systems. If the backup media is stolen and not encrypted, an attacker could access all your organization’s data without even touching the systems themselves.
It is expected that the backup media is stored in a secure location and is encrypted, especially if the media is transported to any other location.