Imagine a "perfect" storm so ferocious and daunting that even seasoned sailors smash their vessels upon the rocks while trying to weather the onslaught of the winds, waves, and currents. Now imagine being given safe passage to a harbor that protects you and your ship from the effects of the storm. If you were given the choice to go down with the ship or drink coffee by a cozy fire, which would you choose? For myself, I'll take my coffee with cream and two sugars...
This "safe harbor" analogy is exactly what state legislators build into ID theft and breach notification laws. It is commonly referred to as an "encryption exemption," since it exempts organizations from having to disclose breaches simply because the data being protected by the encryption is not able to be accessed. Most system administrators with an ounce of creativity can crack into a Windows operating system computer. The rule of thumb is if you have physical access to a system, you can compromise it. Encryption, such as AES-128, makes it mathematically improbable to access the data without the encryption key. Note, it is mathematically improbable, not impossible. With enough computing power, encryption can be broken (however long it may take to break the algorithm).
This safe harbor rule keeps those companies that adopt encryption off the "breach list" - the growing list of notorious companies that get vilified in the news for allowing breaches of client data to occur. The breach list is an exception to the rule that any kind of publicity is good publicity. People lose their jobs and permanently harm their careers over data breaches, from IT staff to corporate officers.
In a real world example, if your laptop or USB drive with confidential data on it is stolen or otherwise accessed without authorization - that is a data breach. With breach notification laws in effect, the clock starts and your company would have to determine what data was compromised and then notify every individual involved. This will trigger lawsuits, the significant loss of your client base, and very negative publicity which will take years to erase. However, the encryption exemption lets organizations forgo the notification requirement if the Personally Identifiable Information (PII) was encrypted at the time of the unauthorized disclosure. With whole hard drive or volume encryption, this becomes a non-issue since the data cannot be access without the encryption key and is therefore not considered a data breach. Yes, the laptop or USB may be stolen and in the hands of a hacker, but if enterprise-level encryption software is used, the hackers will not be able to access the data in unencrypted form... unless they also stole the encryption key, but that is a story for another day for keystroke loggers.
For those of us here in Oregon, we are thankful to have the Oregon Identity Theft Protection Act (SB 583). This is a very well written piece of legislation and thankfully, it does contain a safe harbor clause. The law requires that ‘reasonable safeguards‘ be maintained including the implementation of a security program, risk assessment, data monitoring, and data disposal. The law also has requirements for data breach notification specifically focused on PII. If your PII is encrypted, you forgo the notification process.
According to SB 583, PII consists of: "A consumer's first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
– Social Security number.
– Driver license number or state identification card number issued by the Department of Transportation.
– Passport number or other United States issued identification number.
– Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer's financial account."
Some people argue encryption is the answer to information breaches, others believe prevention is the answer. I personally believe you cannot have an effective information security plan without both preventative (education & awareness) measures and encryption. Most small and medium businesses have undefined and risky business processes that their own IT staff have no knowledge of and therefore are unable to provide protection. It is rather foolish to believe all employees will do their part. It is simply human nature and it requires constant vigilance, as well as the tools to counter those traits.
Notification is an immensely powerful incentive for organizations of all size to sit up and take notice of their Information Security practices. Along with regulatory pressure, organizations need to routinely audit their business practices and be realistic about identifying and mitigating risks. It is simply another case of if you fail to plan, then you plan to fail. Without encryption for your mobile workforce, do not be surprised to see your company's name on the Breach List.
If you are a Portland-metro area company and want to learn about encryption options, TeamLogic IT will provide a 1-hour free consultative meeting. We can provide you a road map to get you on the proper course to protecting your business properly.
Have you seen how Google is trying to convince us to keep our hard drives virtual! Ha, no way that can be trusted. Your article has great points, however we can both a agree no system is EVER secure.
Posted by: Insurance Olympia | December 10, 2010 at 12:52 AM