Encryption and Grizzly Bears
added: 07.15.2013, by Mike Spinney
California was the first state to pass a law requiring companies to notify people whenever their personally identifiable information (PII) was put at risk of exposure and misuse as a result of a data breach. Known informally as the California Data Breach Law, SB 1386 gained national prominence in 2005 when data broker Choice Point was duped into selling over 160,000 credit profiles to identity thieves posing as legitimate Choice Point business customers.
The Choice Point breach is generally regarded as the watershed event in data breach tracking and awareness. The Privacy Rights Clearinghouse maintains an excellent, searchable chronology of such events. If you aren’t familiar with the resource, you should remedy that situation posthaste.
Although SB 1386 became a de facto national law after Choice Point, since 2005 nearly every state has passed their own laws to protect consumers from the threat of identity theft. In 2010 Massachusetts upped the ante when Mass 201 CMR 17 went into effect, not only requiring that organizations notify consumers of a data breach affecting their PII, but that they take implement preventative measures – including adopting encryption and action plans – in advance and anticipation of a breach.
The importance of taking reasonable steps to protect sensitive data and valuable information can’t be overstated. In fact, California is back at it and, taking a cue from the Bay State, is sending signals that it, too, may soon require companies to encrypt the PII of its residents.
While no method of protecting data is completely foolproof, encryption does ensure that only the most determined and sophisticated of miscreants will be able to access information so protected.
You see, except for rare occasions, data theft tends to focus on soft targets. Why spend time and energy hacking data that is encrypted when there is so much high value information available in the clear?
It’s like the story of the two hikers preparing for a trek through grizzly bear country. As one of the hikers contemplated what type of gun to pack for protection, he noted the other lacing up a pair of running shoes.
“Why aren’t you wearing hiking boots?”
“Well, if we come across any bears, I want to be able to run as fast as I can.”
“Don’t be ridiculous. You can’t outrun a grizzly.”
“I don’t have to outrun the grizzly, I just need to outrun you.”