Business pressures and the “mistaken belief” that encrypting data on PCs can be very expensive often deter Canadian organizations from following this sound practice, say industry observers.
The importance of data encryption – and the dire consequences of failing to do so – came into sharp focus following the recent spate of security breaches involving high profile companies including the Canadian Imperial Bank of Commerce (CIBC) , and The TJX Companies.
In the U.S., organizations such as the Internal Revenue Service (IRS) are taking steps to decisively address this issue.
The IRS has announced it will include encryption technology on all its laptops within the next few weeks, shortly after reporting that nearly500 IRS laptops containing unencrypted taxpayer and personnel data have been lost since 2003.
Canadian businesses and government agencies, however, are being held back from adopting similar practices because of perceived budget constraints and “industry pressures”, according to Philippa Lawson, director of the Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC).
Failing to encrypt data – especially on laptops – could lead to serious breaches of privacy, Lawson said, citing recent laptop thefts – from a mental health facility in Calgary and the Hospital for Sick Children in Toronto – to prove the point.
In both cases, no encryption technologies were used to secure the sensitive data on these machines.
Both the Calgary and Ontario privacy commissioners have since made recommendations for tougher privacy policies.
The Toronto Hospital for Sick Children, for instance, is putting policies in place to ensure personal health information stored in locations other than a secure server are encrypted and carry no personal identifiers.
Lawson, however, doubted other Canadian firms and government offices would be able to respond as quickly.
Some organizations believe it’s a very expensive and complex undertaking, and this “widespread “misconception” prevent them from using data encryption tools, says an IDC analyst.
“Laptop encryption can cost anywhere from US$50 – $100 per machine,” said Charles Kolodgy, research director, security products, IDC Ltd. in Framingham, Mass.
He said IDC conducted a recent study on the adoption of encryption in the enterprise and found “a lot of the fears concerning price and complexity were misconceptions.” Meanwhile Canadian businesses continue to lobby the government against drafting stringent privacy protection legislation.
“Businesses here don’t want more regulatory burdens, fines or penalties,” said Lawson. However, stiffer fines and tougher penalties are needed to keep organizations handling sensitive personal data in line, according to Joe Greene, vice-president, security research, IDC Canada Ltd., in Toronto. “The government needs to get tough on privacy.”
“Unless organizations are [compelled] to protect the personal data in their custody, they will be slow to secure it properly,” he said.
Lawson echoes this view.
Failing decisive government intervention, public pressure and the damage security breaches cause to their image might be the only drivers for organizations here to implement stronger privacy measures, said Lawson.
“As more breaches are brought to light, public pressure will be placed on businesses and governments to protect private information. Unfortunately it might take a crisis before anything is done,” she said.