When South Carolina Governor Nikki Haley called encryption “complicated” and “cumbersome,” and noted few government agencies and financial institutions employ encryption to protect sensitive personal data, security experts took notice. Haley’s October 2012 remarks came after a massive data breach compromised the Social Security numbers and financial information for three-quarters of her state’s population, and highlighted an Internet security issue: Data encryption, specifically endpoint data encryption, is not only a key facet of keeping data safe, but also a compliance issue.
Encryption: It’s the Law
In some environments, endpoint data encryption is a regulatory issue. Healthcare providers, for example, are governed by the Healthcare Insurance Portability and Accountability Act, which places strict regulations on the access and use of private health and personal data. HIPAA requires data to be encrypted both in transit and at endpoints; failing do to so could lead to hefty fines and other disciplinary action.
The healthcare industry is not the only one governed by strict encryption rules. Anyone who takes payments via debit or credit cards, for example, is governed by the Payment Card Industry Data Security Standard, or PCI-DSS. PCI-DSS is an information security standard for any organization that handles individual payment data, and compliance with the standard includes data encryption.
How Data Encryption Protects Your Business
Laws like HIPAA were designed to protect consumers from their personal data falling into the wrong hands, but the regulations also protect businesses from the fallout of a data breach. Studies estimate it costs a small business up to $200,000 to handle legal requirements post-breach, such as notifying customers and launching an investigation; for a large business, depending on the breach’s size, the cost grows into the millions of dollars. Each year, many businesses learn why data encryption is important the hard way, not only losing millions of dollars in revenue, but also their reputations and customer perceptions.
Proper security protocols, then, not only prevent a data breach, but help businesses handle fallout. While 46 states have laws requiring businesses to notify customers in the event of a breach, when the business has proper encryption in place, they are exempt from those notification laws, representing a significant savings. In addition, endpoint encryption helps close a breach if one occurs. A centrally managed solution with real-time updating allows security personnel to lock or destroy data remotely if it is lost or stolen. A real-time update will restrict unauthorized access the minute the breach is detected.
Adequate encryption protocols also help businesses manage the compliance process, by providing detailed reports on all devices and individuals. In the event something does go wrong, the encryption program should provide a trail to the breach, allowing for fast response and remediation.
The Keys to Compliance
Governor Haley may have called encryption “cumbersome,” but in reality encryption doesn’t have to be complicated or difficult to implement.
Ideally, an encryption solution should be centrally managed, allowing IT security to easily control and monitor data as well as who has access to it – whether access comes from a computer, smartphone, tablet, USB device or other source. The solution should also include transparent key management. Some businesses encounter trouble in managing the key to the encryption, when they maintain access to the key via a paper trail or USB device, creating vulnerabilities, or the system is too complicated and the average user does not have the technical knowhow to properly leverage the encryption system. With a streamlined and transparent key management system and limited secure workstation access, IT security can easily and effectively manage access to the encryption key and make it easy for employees to manage.
In fact, employees can often be the weak link when it comes to information security. It’s important for security professionals to provide education and information on the tools and protocols for maintaining data integrity. This means developing strong password protocols and requirements, in addition to a strict policy on personal device use. The endpoint encryption solution must also automatically recognize and deploy to new devices.
South Carolina’s security breach has cost the state millions of dollars, primarily in insurance claims and identity theft protection for residents. More importantly, the breach highlighted the importance of data encryption in information security. The law may not require encryption for all agencies and businesses, but deploying the technology will keep sensitive data away from hackers, and protect businesses and individuals from the high costs of theft.