Malte Pollmann, chief product officer, Utimaco
Following the 2007 data breach at retailer TJX , the recent breach at Heartland Payment Systems, and a string of high profile data blunders in between that have compromised millions of customers’ data, lawmakers have finally taken notice and are making data security a priority.
In Massachusetts, for example, new legislation requires all companies (even those located outside of state boundaries) that hold personal information of state residents to encrypt that data on laptops or portable devices. Nevada enacted a similar law last October, while New York, California and others are considering related legislation. Though industry-specific legislation, such as HIPAA and PCI, and breach notification mandates have been in place for a while, data security mandates are only now beginning to sweep the nation, often forcing companies to demonstrate compliance in advance of short deadlines and with little support.
To comply with state regulations, companies should first have a comprehensive written information security plan and designate at least one person to maintain it. For smaller companies that lack dedicated IT and security resources, it is wise to work with an IT consultant with a security background to create a custom plan.
Fortunately, many businesses have already implemented some critical first-steps, such as firewalls and anti-virus software. While these measures help, they will not suffice for companies looking to comply with existing mandates. This brings us to a key technology necessary for protecting data: encryption.
Encryption has long been recognized by security experts as being the most effective way to secure data by making it unreadable to unauthorized users — and it will become even more prevalent as state mandates often require laptops, portable media and email be encrypted and that encryption keys be secured to ensure adequate protection against data loss.
Businesses looking to deploy encryption have a variety of options and should look at their individual needs when developing an encryption strategy. For ease of management, businesses may want to invest in automated key management systems that can be coupled with encryption solutions. Smaller businesses can purchase PC encryption software that provides strong security without the need for elaborate key management systems. Many businesses choose to deploy full disk encryption, which protects all of the information stored on the disk. With this option, users do not have to pick designated files or directories to encrypt, nor do they have to worry about temporary system files that may also contain sensitive data.
Above all, do not become overwhelmed by these new regulations. Costs associated with meeting requirements can be phased to address the most high-risk systems first. Users can — and should — be trained in security procedures for correct handling of sensitive data. Look at how cash is protected in companies, where only specific employees with access rights are allowed to handle cash. Now that sensitive data is recognized as something of value, it should be approached with the same cautious philosophy.
Increased state regulation will undoubtedly cost money and resources upfront, but provide the opportunity for companies to examine their business process and look for ways to make it more efficient. Data is the lifeblood of any company, so remember to treat it as such and take all precautions to protect data and ensure compliance.