No excuse for unencrypted customer data

It’s become the depressing norm for almost daily breach announcements. And those are the ones that are promptly reported; not all are.

It’s been an adage for years that the online secure computer is one that’s not connected to the network. That’s increasingly an impractical option, with the prevalence of Internet use, the ubiquity of wireless data coverage and the increasing trend to move applications to the Web. There are criminals out there who can, and will, penetrate your system. Throw your hands up in despair.

Or, perhaps, apply the lessons that we have learned over and over again in the Internet Age. Your network WILL be hacked. The question is, what will said hacker find there of value when they inevitably do get through the firewalls?

After the TJX and Heartland fiascos of recent years, it should be clear by now. There is no excuse for customer data, at rest or in transit, to be unencrypted. The technological cost, the key maintenance, the latency — none of these justify unencrypted customer data.

Data leak prevention technology, applied rigorously and consistently across the infrastructure that hosts the most vulnerable data, can prevent the accidental loss of customer information, along with the “inside job.”

And then there’s an approach espoused by Ontario privacy impact assessment specialist Tracy Ann Kosa at last year’s  SC Congress Data Security Conference and Expo: Collect only the information necessary for the application involved, for the specific situational relationship with the customer. In the event that all other measures fail, at least the amount of personal information leaked will be minimized.

And when countermeasures fail, immediate notification of customers should be enforced by toothy penalties for delay. “Timely” reporting doesn’t cut it.

 

None of this is news. But it seems that almost every day, a new security breach is.