Hard Drive Encryption Not Required By Law. Good Enough Is Enough?.

PC World has an article about “what the law requires of IT.”  They make some interesting points, and how the law in a certain case noted that laptop encryption was not necessary.  But they have other noteworthy points.

 

Straight off the bat, the article notes that when bank robbers stole from banks in the days of yore, people felt sorry for the banks and hunted down the outlaws.  Today, we blame the banks for not providing adequate security.  And I say, can you blame people for behaving this way?  It’s all a matter of providing a decent amount of security.  There isn’t much too protecting money: get yourself a vault and some security guards with guns.  There’s not much else to do.

 

However, if these same banks had decided to keep the money under their respective bank president’s office sofa cushions, and that money went missing during a burglary…well, let’s say that people wouldn’t be feeling sorry for banks—and others, in addition to outlaws, would be hunted down.

 

Why does the public in the twenty?first century heap scorn on companies like TJX, which are technically victims of a crime? (Or, depending on your point of view, victims of multiple crimes, since it continuously for over a year for TJX?)  Why do UK citizens talk about “imbeciles” working for the British government when unencrypted CDs with sensitive information went missing?  Because they did the equivalent of keeping the money under the sofa cushions.

 

People understand implicitly that there is a standard of security that a company shouldn’t dip below, especially in this day and age of identity theft.  So when it’s reported that TJX’s C-level executives decided not to upgrade their wireless encryption standards in order to save money, fully knowing that the weaker standard posed a healthy amount of danger, well…it sounds like the company decided to forego their customers’ financial well?being for company profits.  And while companies are supposed to pursue profit, this is America and the free world we’re talking about, people don’t like it when those profits come at their expense.  Sounds like commonsense, no?

 It’s a funny thing, though.  As the article points out, from a legal standpoint, the definition of what’s the “legal standard for compliance” with data security tends to vary from case to case.  For example, the case of Guin v. Brazos Higher Education Service is given as a legal precedent.  In that particular case, a laptop—which may or may not have had sensitive information on it—was stolen from a Brazos employee’s home.  Because the company didn’t know whether there was sensitive information on the stolen computer, they alerted all possible affected clients, and one them sued because the stolen computer did not feature full disk encryption. 

The court, however, found that Brazos wasn’t required to have laptop encryption on that computer because the law (the Gramm?Leach?Bliley Act, specifically) had no provisions stating that encryption had to be used.  Brazos had followed the law to a T when it came to protecting the data.  I’m not sure what protections were in place—to me, they don’t sound like realistic protection measures: “Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by [GLBA].”

 

I know for a fact that the first two listed, while important overall when it comes to security, don’t have the same efficacy that disk encryption offers when it comes to protecting sensitive data after an incident like a home burglary.  And it seems to me that a home burglary, while not a common occurrence for the average person, wouldn’t be unexpected, so a provision for data protection under such a scenario should have been contemplated by the company.  Brazos may have won in the legal court, but who knows how many people have been turned off by their lack of proactiveness when it comes to protecting client data?



Comments (0)


Let us know what you think