What do encryption and reputation have to do with each other? On the face of it, the link seems tenuous. However, if a data breach occurs, encryption could be the difference between intense corporate embarrassment and a corporate reputation that remains untarnished. Of course, we’re talking about than standard encryption of data in transit with SSL. This must be complemented by encryption of data at rest. Organisations are then better protected all round. In some locations, there is no obligation even to inform consumers if only properly encrypted data has been breached. But is this a reasonable approach? And if so, why did at least one recent high profile corporate victim fail to encrypt highly sensitive, compromised data?
The challenge of adequate data at rest encryption or DARE comes from three factors: identification of sensitive data, cost of encryption solutions, and impact on the performance of IT systems. Full disk encryption (FDE) is one way of systematically protecting data at rest. Ponemon Institute organised a survey in 2012 to report on the “Total Cost of Ownership for Full Disk Encryption”. On a per user basis, it found that encryption in organisations per year cost at least $232 (US) and at most $331 (UK), but that comparative savings from reduced exposure to data breach were $4,650. Performance impacts were considered to be mainly at start-up and shut-down times of computers using FDE.
Whether or not this survey found its way to the healthcare sector, the breach of around 80 million records at US health insurer Anthem early in 2015 was all the more serious for a lack of encryption. Initial estimates of the costs to Anthem of handling the breach were around one billion dollars, although some subsequent estimates were even higher. Remarkably, HIPAA (Health Insurance Portability and Accountability Act) compliance in the US healthcare sector does not insist on encryption of data at rest. However, on the basis of these numbers, data encryption looks like an investment with an excellent return, especially when many IT security managers have stopped preparing for “if” and started instead to get ready for “when” a data breach will occur.