A new study released by the Ponemon Institute has found that the use of data security products like full disk encryption is increasing in Australia, apparently a reaction to increasing cases of data breaches.
According to itwire.com, the report saw 69% of 482 Australian businesses experienced at least one data breach in the past 12 months, in comparison to 56% from the previous year. Also interesting to note: of companies that did admit to breaches in the survey, only 35% publically announced it.
Those who did not announce the breaches did not do so because “there was no legal or regulatory requirement.” The last time I checked, Australian data breach notification laws are still being contemplated. They’ll go into effect on January 1, 2010 at the soonest, but there is no set time.
(In fact, there’s no guarantee that one will ever be legislated, if I understand the story correctly. So far, there is just a recommendation from the Australian Law Reform Commission that recommends that Australia’s Privacy Act be amended to reflect the lack of a breach notification law.)
However, it looks like the breaches that were made public have not gone unheeded by Australians. Of respondents, 66% said that data protection was important in a company’s risk management efforts. (I note that it seems to correspond with the 69% of companies that experienced a data breach–coincidence?)
A Worrisome Stat?
Also, a slightly worrisome statistic: “70 percent believed encryption was a critical factor in protecting a company’s reputation.”
Whoa, hold on a bit.
While there are many around me that think encryption software is a gift from the gods, and tend to talk about it that way (big surprise; we’re a managed encryption software provider), and would agree with the above assessment, I for one can’t agree that encryption will protect a company’s reputation. And here’s the reason why.
Whenever I follow up on data breach articles, plenty of people add comments to the effect of “that data shouldn’t have been on a laptop to begin with. Now it’s stolen, I hate you company ZYX.” This is even when the story makes note of the fact that, for example, whole disk encryption software was used to secure the data.
Of course, even with the use of encryption, having a device with sensitive data not stolen is always a better outcome than having it stolen, albeit (I think) only infinitesimally better. But, this is not the reason why people make the comment I refer to above.
Rather, it seems to me, it’s that people in general don’t know what encryption is–and what it can do to help prevent data breaches–to begin with. And, under such circumstances, it’s not really going to help in any PR effort.
Unless, of course, the use of encryption gives a company safe harbor from having to announce that they lost a computer with sensitive information on it.
Related Articles and Sites: