It looks like Connecticut could be following in the footsteps of New Jersey: according to stamford.dailyvoice.com, state senators are considering proposing legislation that would require Insurance companies to encrypt any sensitive personal data. If said proposal passes, it would become the second state I know of that makes it mandatory for insurance companies to use data encryption. New Jersey recently approved a bill that did the same for insurance companies in the Garden State, going as far as requiring the encryption of data on desktop computers.
Anthem Breach Aftermath
One of the largest data breaches to hit the US was made public in January: a breach of Anthem’s database affected approximately 80 million members. Over 1 million of them were residents of Connecticut, and enough of them contacted the state to merit considering legislation specifically to the insurance sector.
Over the past month, the topic of Anthem’s data breach has been such that I’m surprised the issue hasn’t been broached sooner. With the exception of a handful of laws, current federal and state statutes are seriously lacking when it comes to data security. Most recommend the use of encryption, with dire consequences in the event of a data mishap. However, a recommendation does not have the same sense of urgency as compulsory obligation. No surprise, then, that many organizations take the recommendation as an optional action. Of course, they’re not actually supposed to approach it in that manner but why wouldn’t they? They’re not obligated to do anything and there’s so much to do (or so the real-world reasoning goes).
Encryption not a Silver Bullet
Of course, encryption is not a cure-all for all data ills. As knowledgeable people have pointed out after the Anthem data breach, there is very little that the insurer could have done to protect their data because the company’s database is in use all the time.
For example, technologies like disk encryption only protect information when a device is in “off” mode, be it a laptop, a portable hard drive, or a data server. The analogy of a safe is not out of place if one thinks of encryption as the vault and the money as sensitive data: as long as the money is being used, it can’t be in the vault and hence it remains unprotected. Put the money in the vault and it’s protected…but it can’t be used. Likewise, when data is being used, it cannot be protected.
The Connecticut senators appear to be aware of this shortfall:
That is why we are introducing this necessary, commonsense legislation to encrypt personal information. If we cannot prevent hackers from getting in, we can at least thwart their efforts by limiting what information they get and rendering it useless.
It’s becoming clearer and clearer that this is the kind of thinking we need. The method of passing indirect, passive-aggressive legislation has run its course and sadly proven that it doesn’t work.
Related Articles and Sites: