California's Senate Bill 1386, which came into effect in July 2003, forces businesses to report any loss or misuse of data to anyone affected by a security breach. Thanks in part to this bill and rampant media coverage, the fear of identity theft has steadily risen--and apparently for good reason. In the past three weeks, a trifurcate of highly publicized security breaches have occurred--at Hotels.com, the Veterans' Administration and a major student loan provider.
In late May, equipment containing the names and social security numbers of roughly 1.3 million Texas Guaranteed Student Loan Corp. borrowers vanished, according to company officials. The electronic files containing the lost data were decrypted by enterprise data management provider Hummingbird on a laptop that was then misplaced by an employee. While unfortunate for the borrowers, the sunny side of the story, say some analysts, is that accidents like these may drive more enterprises to expedite encryption deployments.
How can companies prevent similar mishaps? According to Andrew Krcik, VP of marketing for enterprise encryption provider PGP, "People should use good quality encryption, which is a minimum of 128 bits. Laptops should also be secure. This is about having good precautions and common sense. Just use encryption or a VPN tunnel on your laptop... and don't walk away from it.
"Also, security vendors should state in their contracts that all data will be protected by a third-party subcontractor. Vendors really have to take responsibility and protect themselves." Even though Hummingbird misplaced the laptop, it is the Texas Guaranteed Student Loan Corp. that will ultimately have to face its customers.
Krcik states that although security has long been a pressing issue, it still hasn't been addressed by many companies for several reasons. "Five, 10 years ago, putting in encryption was a big project that was very expensive, took a lot of people and really interfered with the user, and people think it's still set up that way," he says. "However, next-gen encryption services can be completely automated. You can deploy this really easily without changing IT infrastructure or user training."
Another major reason for the delay in widespread encryption, says Krcik, is that although almost all companies have security on their to-do lists, it's not quite at the top--yet. "Every organization knows that it's an issue ... It'll happen when IT gets the funding and the priority."
Andy Solterbeck, general manager of the Data Protection Business Unit at SafeNet, agrees that highly publicized security breaches like these will help propel widespread data-protection forward. "It's fair to say that the issue of the protection of data has been in the forefront of the enterprise's mind for a significant period of time," he said in a recent phone interview. "What's fundamentally changed is the risk profile. The amount of data that needs to be encrypted and the areas where devices are used ... are increasing because of mobility. I think enterprises are now absolutely recognizing this as an issue, and they're very actively pursuing solutions that can fix this problem."
While enterprises are responsible for deploying security measures, encryption providers must also work to devise the least invasive method for installation, states Solterbeck.
"[These stories] are manifestations of a lag between recognition of the problem and enterprises rolling out the solution. We've got to be able to deliver solutions that are easy to deploy and won't impinge on what the user needs to do. I think that's what enterprises are looking for."
Solterbeck chooses to view these recent security slips as a motivator for big businesses. "There's a huge opportunity for enterprises right now to get a handle on data protection on all levels. We think it's a huge step forward for the enterprise to step up and make strong compliance claims. I think this kind of story proves that encryption really is mandatory now. We think it'll have them saying, 'We really have to get a handle on this.'"