Why should all the sensitive data on your computers be encrypted? You can find the answer to that question by Googling these three words: data breach unencrypted. Even a cursory glance at the long list of search results will show you how much trouble organizations can get into when they don’t encrypt sensitive information, particularly personally identifiable information (PII).
What kind of trouble does a lack of encryption bring? Well, apart from bad publicity and lost business from customers who decide you can’t be trusted with their data, you could also be looking at a million dollars in fines, possibly more. We’re talking budget-busting costs that could have been avoided by spending just a fraction of that on a basic program of encryption for all company computers.
Consider Concentra, a company you probably never heard of before, at least not until April when it reached a $1,725,220 settlement with the OCR. Never heard of the OCR? That’s the Office for Civil Rights within the U.S. Department of Health & Human Services, the branch of government that enforces the Health Insurance Portability and Accountability Act, better known as HIPAA. The privacy and security rules that came with HIPAA require just about any organization that handles health-related personal information to protect said data to certain standards. (On top of that, many states also require companies to notify persons whose PII may have been exposed, as will be discussed in a moment.)
Fail to meet applicable HIPAA standards and you could be in trouble, particularly if any incident occurs which exposes data that should be protected (Protected Health Information or PHI). Incidents involving more than 500 unencrypted PHI records must be reported. The OCR maintains a wall of shame, a searchable database of incidents in which protected PHI was breached, and a list of case examples and settlements, like the one with Concentra.
So what did Concentra–in common with so many other organizations inside and outside of the healthcare industry–do wrong? According to the OCR settlement, the company:
“did not sufficiently implement policies and procedures to prevent, detect, contain, and correct security violations under the security management process standard when it failed to adequately execute risk management measures to reduce its identified lack of encryption to a reasonable and appropriate level…”
In other words, the company not only failed to do enough encryption, but it also lacked a suitable business process (risk management) for determining the necessary extent of encryption. As this PDF of the case shows, the company knew in October of 2008 that only 434 out of 597 laptops were encrypted but did not move to encrypt all laptops until June of 2012, after an inventory of IT assets was completed.
Concentra is far from alone in this “failure to adequately encrypt” category of data breach. Other examples of fines for failure to encrypt in the healthcare space include $1.5 million paid by both Blue Cross Blue Shield of Tennessee (BCBST) and Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. And that Google search on data breach unencrypted that I mentioned earlier? It just turned up this May 27 headline: Humana members notified of Atlanta data breach. Apparently, an Atlanta Humana employee’s car was broken into and thieves took the employee’s encrypted laptop. Sadly, they also took a USB drive on which were stored unencrypted files containing names, medical record information and some Social Security Numbers of almost 3,000 Humana enrollees.
Of course, this problem of failure to encrypt extends well beyond the healthcare sector into all areas of data usage, including government, education, and yes, big business. Brand names don’t get much bigger than Coca-Cola, and in January we learned that “Due to a theft of unencrypted laptops at Coca-Cola, around 74,000 current and former employees at the company may be at risk of identity theft or fraud.” SC Magazine.
So, Coca-Cola was in the unhappy position of notifying tens of thousands of people that some combination of their identity data were “out there” and could be used for identity theft, including name, address, Social Security Number, compensation, ethnicity, and driver’s license number. It’s a safe bet that some of those current or former Coca-Cola employees were California residents, and California has one of the strongest data security breach reporting requirements. The law requires timely disclosure to “any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Note that, as with HIPAA, California also provides “Safe Harbor” in the case of encrypted records. In other words, if you’ve encrypted files or folders containing PII on a drive that goes missing, you don’t have to report the breach. Accidentally emailed a spreadsheet of employee data to the wrong person? No need to worry if the attachment is encrypted.
Encryption of files, whether stored on a drive or emailed via Outlook, not only gets you Safe Harbor when something does go astray, it also buys you considerable peace of mind. However, don’t expect to get Safe Harbor for data breach notification by using any old encryption program. The trend is for data protection laws to keep raising the bar and California looks set to pass legislation that sets a baseline standard for encryption. As Phil Lee, a partner at Fieldfisher told DataGuidance:
“The ‘safe harbor’ breach notification provisions in AB 1710 really make clear that there’s encryption, and then there’s encryption. In a nutshell, AB 1710 says that businesses will have to notify consumers about breaches even where the data lost was encrypted, unless the data was encrypted to the strict levels of NIST’s Advanced Encryption Standard [AES]. Simply seeking exemption from notification on the basis that the data was encrypted to some vague, loosely-defined standard will no longer suffice.”
One reason regulators come down so hard on those who fail to implement proper encryption is that this ability to encrypt data to high standards, making it inaccessible to everyone except holders of the decryption key, has been around for a long time. That makes failure to use strong encryption an increasingly egregious oversight in the eyes of those charged with protecting and policing the handling of personal information.
And regulators are not the only ones getting steamed up about a lack of encryption. The public today is a lot better informed about encryption than it was even a year ago. Take 12 months of news headlines about mass electronic surveillance and attacks on encryption by certain government agencies (NSA and GCHQ), season with a large data breach at a brand name company that everyone has heard of (Target) and you produce a big batch of consumers that are far more familiar with the word ‘encrypted’ than folks used to be. That means your company’s failure to encrypt sensitive information like PII will be judged harshly, not only in the courts of compliance and law, but also in the courts of press and public opinion.
Fortunately, encryption is no longer the IT pain it used to be. There are encryption products available today that are easy to implement and use across small or large enterprises, with all functionality and settings conveniently managed from a central server. You can start out with basic file and folder encryption. Add Outlook integration to enable secure transmission of protected files. Later you can add automatic encryption of removable media and full disk encryption. What you don’t want to do is ignore the need for a well documented and properly implemented encryption policy, one that is applied to all of the sensitive data that your organization handles, wherever it resides and however it is transmitted. Otherwise, if you do experience a breach, you will quickly learn there are no excuses left.
Author Stephen Cobb, ESET