On January 1, 2014, California implemented an amendment to its breach notification law. The law applies to companies doing business in California that experience a security breach exposing personal information. Under the amendment, “personal information” has been expanded beyond financial and medical information to include online account credentials such as user names and email addresses when lost in combination with passwords and security questions and answers. However, the law includes a safe harbor clause that negates company liability if the personal information is encrypted.
It is almost impossible for businesses to guard completely against data leakage, whether it’s an external hack, lawful interception, or human error. Faced with this reality, the only option for businesses is to use encryption to insulate against the impact of a data breach and avoid penalties. However, enterprise leaders need to remember that encryption is never a “one size fits all” technology, and for many it raises concerns over complexity and performance. There is a big difference between deploying encryption in laptops versus networks, storage systems, databases or applications.
When we think about encryption, most people focus on the encryption algorithm, the process of “scrambling” the data to make it unreadable, but that’s only half the story. Control and management of the keys to unlock and create meaning from the encrypted information is just as crucial, and from an organizational point of view probably more complex and error-prone. The encryption algorithms might be the same for a wide variety of use cases, but the key management activities almost certainly won’t be.
Of course, technology can rarely neutralize the reputational impact associated with a data breach, though in this case encryption does allow organizations to retain crucial control of their data. Recent high-profile attacks should serve as a powerful reminder that no systems are safe. Businesses need to invest time in understanding what their data is worth – encrypt what you care about and keep control of your data.