The General Data Protection Regulation & The Duty to Encrypt
The General Data Protection Regulation, abbreviated to GDPR, raised a storm when it arrived. In reality, it merely tightened up on existing good practice according to digital security specialists Gemalto. The right to withhold consent and to be forgotten has always been there, for example. However, the GDPR brings a free enforcement service for consumers, thus avoiding the need for third party, paid assistance.
The GDPR Bottom Lines for Data Security
Moreover, the GDPR has penalties it can apply, of the order that might have a judge choking on his wig. Under it, data security measures such as pseudonymisation (substitution of identifying fields) and encryption (encoding including password protection) have become mandatory. Businesses must further respect their client data by:
a) Storing it in a secure environment supported by robust services and systems
b) Having proven measures to restore availability and access after a breach
c) Being able to prove frequent effectiveness testing of these measures.
The General Data Protection Regulation places an onus on businesses to report any data breaches. This places us in a difficult situation. We must either face at least a wrist slap upon reporting failures. Alternatively, pay a fine of up to €10 million, or 2% of total worldwide annual turnover.
The Engineered Weak Link in the System
Our greatest threat of breach is probably when the data leaves our secure environment, and travels across cyberspace to an employee, stakeholder, collaborator, or the client themselves. Since email became open to attack, businesses and individuals have turned to sharing platforms like Dropbox, Google Drive, Skydrive, and so on. While these do allow an additional layer of password protection, none of these has proved foolproof. The GDPR may still fine us heavily, whether or not we are to blame for the actual breach.
How Hacking is Approaching Being a Science
We may make a mistake we may regret, if we do not take hacking seriously. The 10 worst data hacks Identity Force lists are proof positive that spending lots of money does not guarantee security (any more than having the biggest stock of nuclear weapons). We have to be smart, and start thinking the way that hackers do.
Hacker heaven is finding an Experian or a Dun & Bradstreet that may have shielded 143 million, and 33 million consumer records respectively, behind a single, flimsy cyber-security door. Ignorance is no excuse for them. They should simply have known better. They should have rendered consumer data unreadable at individual record level. The hackers could have found this too demanding to unpick, and have looked elsewhere.
How Data Encryption Can Help Prevent Hackers Succeeding
Encrypting data is dashboard driven, and businesses need not concern themselves about it works. There are, however, a few basic decisions they must take:
a) Purge the database of all information held without explicit permission
b) Challenge the need for the remaining data and purge the nice-to-haves
c) Adopt a policy of encrypting access at business and customer interfaces
d) Register with three freemium encryption services that seem acceptable
e) After experimenting, sign up for a premium service and be prepared to pay
Factors to Consider When Reaching a Decision
Life Hacker suggests the following criteria although the list is a one-size-fits-all
a) Is the system fast, simple, and easy to operate
b) Can you encrypt hidden volumes within volumes
c) Can you mass-encrypt a batch of files easily
d) Do all other files remain encrypted when you open one
e) Do files automatically re-encrypt when you close them
f) How confident are you with the vendor, on a scale of 1 to 10
It may be wise to encrypt all the files on your system, and not just your customer data. We are always open to a hack by the competition after our strategic planning. If we leave the decision up to IT, then IT, being human may take the easy way out, and encrypt as little as possible.