Protecting Trust between Businesses and Consumers

Over 33 states in the US have implemented breach notification clauses in privacy and security legislation. Unfortunately, due to the confusing differences in breach notification requirements from state to state and the lack of a comprehensive federal legislation, consumer confidence in securing personal identifiable information (PII) is at an all-time low.

The lack of consumer confidence is undoubtedly fuelled by numerous data security breaches resulting from lost or stolen notebooks, endpoint devices, and removable media (USB thumb drives and CD/DVDs). The Privacy Rights Clearinghouse reports that approximately 154.5 million records containing sensitive personal information have been subject to data security breaches since 2005.

Clearly, consumers need to be confident that any organization entrusted with personal information will prevent unauthorized access to the data, and that in the event of a breach they will be swiftly notified. Breach notification clauses attempt to ensure that consumers are given the opportunity to protect themselves from identity theft and potential financial fraud in the event of a data security breach.

Increasingly included in today’s data security regulations, breach notification clauses are driving organizations to encrypt data, implement positive user authentication, develop strict data security policies and manage data leaks. As a result, today’s global enterprises exchanging sensitive data across borders (albeit PII, sensitive information or data surrounding intellectual property) must be able to institute data security policies/strategies that meet all international privacy requirements.

This need for enhanced data security is also driving today’s data security vendors to develop innovative encryption software to ensure the security of consumer, business partner and shareholder PII by protecting all data, be it data at rest, data in use or data in transit. Indeed, many would argue that it is hard to determine whether disruptive regulations or improved data security technology are having the greater impact on IT data security policies and how organizations protect data.

But what is abundantly clear is that with the exchange of, and access to, sensitive data increasingly linked to corporate governance, enterprise architecture and compliance issues, senior executives worldwide are spending increasing amounts of time overseeing regulatory compliance projects. And many senior executives express frustration over the added workload that compliance pressures have brought to IT departments internationally.

US takes the lead

Regulations defining the manner in which businesses behave in the marketplace are not new. Regulations govern how organizations market products, report financials, interact with customers and produce and sell products/services, so it is hardly surprising that the management and protection of PII be regulated. Unfortunately, most regulations protecting sensitive information still do not possess the mandatory enforcement necessary to compel organizations to comply with the legislation. But this is changing, and the US has taken the lead not only in data protection, but also in breach notification.

Security breach notification clauses embedded within California Senate Bill 1386 force organizations to disclose data breaches, with the exemption of data that has been encrypted or where disclosure may interfere with police investigations. Penalties include fines and/or criminal/civil action – although the severity of any penalty is inconsequential when compared to the negative impact that bad publicity has on customer trust and on company profits.

Perhaps the strictest breach notification clause to date is the GLBA in the US. The GLBA only exempts encrypted data if the electronic key used to encrypt the data resides on the hard drive itself, presenting a clear case for two-factor end-user authentication or authentication that does not allow for keys or key files to be stored on the encrypted device’s hard drive. The interesting observation here is not that breach notification clauses are now being incorporated within privacy and security regulations as they are revised, but rather that the breach notification clauses are defining the nature of the electronic encryption key or keys required to exclude an organization from breach disclosure.

This begs the question, how can organizations ensure that their employees adhere to endpoint security policies? The best approach is to make the entire process as simple and transparent as possible for the user.

A transparent process

Data encryption is the ideal method of controlling access to PII, whether it is data at rest, data in transit or data in use. But in order to enable organizations to comply with new data security legislation, encryption vendors must ensure solutions keep pace with ever-changing regulatory policies without negatively impacting user productivity.

Encrypting the entire hard drive at pre-boot makes it simple to integrate single or multi-factor end-user authentication, and to ensure that organizations can manage keys/key files to easily comply with privacy and security regulations. This approach also ensures that the whole process can work in the background without impacting the user.

WinMagic’s SecureDoc ensures access to the hard drive can only be obtained at pre-boot through end-user authentication via any combination of password, USB hardware token, PKI, smart card or biometrics. This prevents unauthorized users from starting the Windows operating system, or from accessing the same encrypted hard drive installed as a slave drive. With the hard drive encrypted, data is transparently encrypted and decrypted as information is written and read from the hard drive. And this is achieved without any noticeable performance difference between an encrypted and non-encrypted hard drive.

Another recent requirement of many breach notification clauses is that organizations must now encrypt all data at rest in archives to ensure the security of PII. But how can organizations be sure that their encryption solution will provide access to this data 10 or 20 years from now? Also, will electronic key repositories enable organizations to efficiently identify which key or key file is to be used to decrypt archived stores of data?

SecureDoc’s innovative electronic key labeling allows enterprises to quickly identify and associate an electronic key or key file with its respective encrypted data store to make it simple to quickly access and decrypt encrypted archived data. Based on a SQL DBMS backend, the SecureDoc Enterprise Server represents the thousands or millions of keys that enterprises may generate as a string of alphanumeric values of various lengths. These keys can be labeled with human readable text for easy identification.

By enabling organizations to secure, share and dynamically provision electronic keys via a central server, WinMagic eliminates the complexity associated with ensuring that only authorized users can access sensitive data across an enterprise or within a group or department to provide an instant return on investment.

In conclusion, it is critical that enterprises drive the convergence of data security and business processes to ensure all data is protected. Any technology deployed without taking into consideration corporate governance and unique security requirements is doomed to fail because it will not account for the non-technical processes related to securing data at rest.

Understanding that organizations require flexible encryption solutions that allow for multi-factor authentication, effective key file management, and policy controls for disk and removable media encryption in order to comply with all global privacy and security regulations, WinMagic has developed SecureDoc to eliminate the security versus productivity debate by making it simple to protect all data on all devices at all times without sacrificing business processes or user productivity.

Infographic:
154.5 million
Number of records containing sensitive personal information subject to data security breaches since 2005

“The need for enhanced data security is driving today’s data security vendors to develop innovative encryption software”
“How can organizations ensure their employees adhere to endpoint security policies? The best approach is to make the entire process as simple and transparent as possible”