I want to pass along a link to a story posted by fellow bloggers "Ephemaralaw."
The reason for this is to point out that data stored on servers should be encrypted going forward. This breach is a classic example of exactly why. By May 1st of next year every covered business, non-profit, school district, utility, college, and local government needs to have in place a policy to address data security and identity theft prevention and response. Within that written policy there needs to be language that effectively states "All sensitive information must be encrypted when it is stored in an electronic format." Since federal legislation leaves the door open by not mandating encryption it is incumbent on business to make encryption a standard practice.
It should be noted that new Massachusetts legislation requires all businesses to encrypt data stored on servers. Other states are sure to follow. The blog article points out also that HIPAA sees encryption as an addressable standard. There are rules for addressable standards that require risk management assessments. They then require reports showing why such steps were not taken.
What is regrettable in my opinion is that a lot of businesses seem to look at this as a chore and an expense, but encryption, along with other steps, will prevent data loss, identity theft and thereby offset risk from law suits. Isn't an estimated $48 Billion loss to business and individuals an expense? That is an FTC estimate of direct and indirect cost to American business from identity theft in 2007. In a time of economic crisis is the hemorrhaging of unnecessary expenses acceptable?
Aren't we supposed to be looking for ways to prevent identity theft? If so how are we going to stem the tide of data breaches and subsequent identity theft episodes if the business community ignores the obvious? A business must do everything that the resources of the business will allow. Is encryption such a chore that initiating an encryption program is not worth the effort? Consider the possible outcome from a data breach. The loss of one valued customer or a single law suit could be enough to shut down a small business, and would likely result in many times the cost of basic encryption procedures. Anyone who is following the stories of the Southern California wildfires can see what an out of control fire can do in a very few minutes. Data breach is no different. Besides a public loss in confidence the net effect of data breach is the out of control rampant growth of data theft and misuse. After all, it isn't someone elses' information at stake. It is ours, yours and mine.