Data Breach Laws, Encryption and Having a Plan ‘B’

from zappowbang's photostream under creative commons


 

Data breach laws are starting to become a serious concern for businesses of all shapes and sizes. It’s already five years since California passed data breach disclosure laws, requiring companies to notify customers of security lapses. Since then almost all other US states have joined it, many opting for penalties that could potentially land companies with a likely loss of reputation and crippling fines if customer data is lost or stolen.

 

 

Ireland published proposed measures on the subject two weeks ago. Frankly, it’s only a matter of time before the UK follows suit either through its own legislation or that of the EU.
 
Over on the Register, we’ve been running a series of articles about what constitutes an appropriate level of security, with the impending arrival of data breach laws adding some urgency to the discussion.
 
A common reaction is to demand the encryption of backup files. This appeals to companies not only because it makes it a lot less likely that any lost information can be used – you could even argue that encrypted data doesn’t even count as ‘information’ at all, following the line that information is data you can act upon. But also, it’s especially appealing to companies because encrypted data is exempt from the disclosure requirements in many forms of this legislation. So the potential loss of reputation and customer trust is hopefully avoided.
 
Encryption is trickier than it looks, though. First of all, what kind of encryption are you going to use? Software encryption takes time – and for larger organisations, it’s possible that the rate of data production – the proliferation of stuff you’re supposed to be backing up – could quickly exceed the rate at which data can be encrypted. Hardware encryption of backups often looks more attractive as a result, but being tied to a particular vendor with no rescue plan for when they go under is a recipe for spectacular disaster. There’s some interesting advice on this topic in this post from Securosis.
 
Backup hardware on its own is already proving hard to manage when it comes to finding data from more than a couple of years ago. Have you still got a tape streamer that will fit the open-reel tapes and cartridges from the early noughties? Still got a computer with a SCSI card to fit the streamer onto? Still got the cable to put the two together? I’m sure sysadmins will be delighted when they’re told to add encryption to the mix.
 
Now let’s throw in key management. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? Once again, this needs a systematic approach. There needs to be a plan and a backup plan for when it all goes wrong. Needless to say, there are products that can help with this – but as always, they can only do so much if the strategy for their implementation and management is weak.
 
Anyway, El Reg is conducting a poll to detect current attitudes towards encrypting data. We’ll be really interested to see the results, so make sure you add your own voice over there – and let me know what you think here in the comments box, too.

Leave a Reply

Your email address will not be published. Required fields are marked *

*