A new report by the office of California Attorney General Kamala Harris highlights the need for exactly the type of encryption solutions offered by CipherCloud. The report compiles data breaches of personal information in California during 2012, and recommends that “companies should encrypt digital personal information when moving or sending it out of their secure network.”
According to the report, more than half of the Californians affected by data breaches reported – over 1.4 million people – would not have been put at risk if the data had been encrypted. The report chides organizations for being slow to employ encryption, despite the incentive created by the breach notification law’s “safe harbor” exemption for encrypted data. Kamala Harris has pledged that her office will “make it an enforcement priority to investigate breaches involving unencrypted personal information.”
California has been ahead of the curve on data privacy issues for some time, as it was the first state to pass a law, (SB 1386), requiring businesses and state agencies to issue breach notifications when they have had personal information compromised. Similar privacy laws have now spread to 46 states and over 50 countries globally. An update to California’s law last year requires companies and agencies to notify the California AG’s Office of any breaches that involved more than 500 state residents.
This hot topic was quickly picked up by the Wall Street Journal (“Lack of Encryption Puts 1.5 Million Californians at Risk”) and InfoWorld Tech Watch (“Calif. attorney general: Time to crack down on companies that don’t encrypt”). WSJ reporter Rachael King quoted Forrester analyst John Kindervag: “if companies encrypt information like social security numbers, credit card numbers and other personally identifiable information, it’s not considered a breach under the law.” Yet too many companies also suffer from “cryptofear,” where they believe that encryption of personal information will be too difficult or costly. Kindervag says that encryption is “a problem that has been solved at the enterprise level,” assuming companies retain their encryption keys and manage them carefully.
CipherCloud’s view is that this problem is definitely solvable, but with the rapid growth in cloud applications, many organizations have not caught up with the increased risk of sensitive being stored in the cloud. Perhaps “cryptofear” comes from legacy solutions that have been incomplete, complex, or not deployed at the right place. CipherCloud has solved this with solutions that apply consistent security across an organization while being completely transparent to end-users.
It’s now a fact of life that sensitive data will be stored in the cloud, and accidents, leaks, or malicious attacks are inevitable. But if organizations encrypt information before it goes to the cloud, and retain exclusive control over encryption keys, they can eliminate the risk of being part of a costly and painful public breach notification.