Data breaches can be costly to a company’s bottom line and reputation. Organizations should be motivated to protect sensitive data with encryption.
Epsilon, a company that conducts e-mail marketing campaigns, isn’t a household name, but its clients are: Best Buy, Kroger, Hilton and Marriott hotels, Target and Walgreen’s, just to name a few. Epsilon got a black eye and 50 of its 2,500 clients had to do damage control when its computers were hacked and e-mail addresses of those client’s customers were exposed. All the ensuing anxiety and negative publicity could have been avoided if Epsilon had encrypted the e-mail address data. It’s a relatively easy solution to avoid a big problem.
Given the hundreds of data breaches reported annually, organizations should be well motivated to take the necessary steps to protect sensitive, valuable and regulated data by protecting it with encryption, but a troubling number of companies don’t. When data is encrypted, even if it’s exposed to hackers, they can’t do anything with it because without the proper encryption keys and credentials, accessing the data is nearly impossible.
The Epsilon breach, first reported March 30, 2011 was relatively harmless but it could have been much worse. Epsilon responded quickly and appropriately by acknowledging the breach and the fact that tens of thousands of e-mail addresses of consumers had been exposed. A number of their clients, such as the providers of the Hilton and Marriott hotel rewards programs, warned their customers of the breach and urged them to be on the lookout for dangerous and costly phishing attacks—fake e-mails designed to look like they’re from legitimate businesses. An unsuspecting recipient may click on a link in the e-mails only to discover they’ve just downloaded a malicious payload through their browser that could steal passwords or other personal information. Epsilon said only e-mail addresses were stolen, not names and addresses or credit-card numbers. It’s unknown if that’s because that data was encrypted. If it was, it begs the question of why e-mail addresses weren’t also encrypted and therefore protected.
The most important thing about encryption is that in most cases, it shields a company from having to disclose a data breach that can bring embarrassment, brand damage and, ultimately, harm to their customers. Most of the 50 states have adopted breach notification laws, but 42 of them have an exception allowing companies to avoid having to disclose a breach if the data exposed was encrypted. The language in the Arizona breach notification law is typical: “[The law] excludes data that is redacted or secured by other methods rendering data unreadable or unusable from notification obligations.”
Data breaches can be costly not just to a company’s bottom line but to its reputation. The Ponemon Institute published a study this year that places the average cost of a breach at $4 million per incident based on a study of breaches in the U.S., Germany, France, the UK and Australia. This number is significant and represents an 18 percent increase from 2009. That includes the cost of detection and response to the breach, the cost of customer notification, lost business and follow-up responses. The cost per compromised record was $156, up 10 percent from 2009. However, the United States had the most expensive costs per incident and per compromised record at $7.2 million and $214, respectively. Lost business is the most expensive cost of a breach, according to Ponemon, as trust is lost and customers take their business elsewhere.
On the bright side, the report shows that U.S. companies were driven by regulatory compliance to invest more in prevention, including deploying more encryption: “2010 marked the first time that regulatory compliance surpassed data breach mitigation as the main driver behind U.S. companies’ implementation of encryption technologies.” However, the Ponemon study exposed an acute lack of preparedness by organizations to protect against a breach “can lead a company to become a first-time breach victim.” In other words, advanced preparation should precede recovery and notification plans. Encryption technologies render sensitive data unreadable by transforming the data using a mathematical algorithm that renders the data unreadable unless the user has the appropriate digital key to decrypt and access it. In most cases, a public or asymmetric key encrypts the data and a private key is needed to decrypt the data. The private key is only available to the person or persons allowed to use it to decrypt the data in motion as it moves within and beyond corporate networks including to the cloud and mobile devices. Besides using encryption to protect the data, another critical part of a security policy is to protect the private keys. The keys must be securely stored on the customer’s premises or with a trusted third-party service.
The Sony PlayStation Network case provides a lesson in how encryption can take some of the sting out of a breach. Sony suffered the embarrassment of having hackers break into the network in April 2011, shutting it down for three weeks and exposing personal information about its 77 million subscribers. However, Sony said that while credit card numbers were stolen, that data was encrypted so it was of no use to the cybercriminals. Sony reported that the cost to recover from that breach was $171 million. Had the thieves obtained the credit card numbers, the costs would have been much higher.