Deciding What to Encrypt

5 Pages

Data loss incidents expose sensitive personal and business-critical information that could adversely affect consumer credit through identity theft, resulting in negative press and damaged reputations for the offending businesses and federal agencies. Unless steps are taken to secure data, it only gets worse: Millions of individuals will be affected by data loss in a single year and the trustworthiness of thousands of businesses will be at stake. 

Encryption for mainframe tapes has rapidly percolated to the top of data center requirements, driven by an alarming number of breach disclosures by high-profile organizations.  Legislation in many states requires disclosure when sensitive personal and business-critical information is lost or stolen and isn’t encrypted. 

Data breach exposures aren’t hype; they’re reality.  Many states have designed laws to protect consumer data identities, require businesses to be proactive in disclosure and remediation, and call for levying fines for unprotected exposure incidents.  To date, at least 35 states have enacted legislation requiring companies and/or government agencies to disclose security breaches involving personal information.  These laws promote the proactive use of data encryption by requiring public disclosure only when the exposed data hadn’t been encrypted.

 With an estimated 70 percent of organizations and governments running critical applications on mainframes, we can surmise that much sensitive data resides on tape.  Given the urgency and potential for exposure, encryption for mainframe tapes has become a top data center priority. 

The Cost of Non-Compliance

 Companies offer several common excuses for failing to encrypt their data, including not have the time or money to implement encryption.  Unfortunately, no explanation after the fact can help a business recover from a data breach incident, pay fines or remediation costs, and recover from negative publicity or lost customers.  If you do nothing to protect sensitive data and it doesn’t get compromised, then there’s no cost involved.  However, as demonstrated by frequent reports of breaches, the probability of that data being lost or stolen is high.  It’s not a matter of if, but when it will be compromised. 

According to a 2006 study by the Ponemon Institue, compromised   data remediation cost businesses an average of $182 per record, totaling as high as $22 million, $4.7 million on average, and no less than $226,000. Costs include legal fees, investigative and administrative expenses, stock performance, customer defections, opportunity loss, public relations, and customer support costs.

In addition, companies face losses more difficult to quantify. The damage to reputations and brand identities can take years to rectify—if recovery is even possible. Have you ever received a letter notifying you that your personal information has been exposed by one of the companies with which you do business? How long will it take you before you want to do business with that company again? Further, any Internet-savvy person can easily use popular search engines such as Google to find offending businesses with search criteria such as “employee lost tape.”

Know Your Exposures

The importance of protecting data and consumers, combined with escalating compliance regulations, is causing businesses to rethink corporate governance mandates, proactively investigate their exposures and implement information security policies, including the use of data encryption. Implementing a data encryption policy means businesses and consumers will be better protected and companies can avoid negative publicity and the costs of expensive data breach remediation.

5 Pages