Data theft is a potentially disastrous threat to organizations of every sort, yet executives have long been content to let it be someone else’s problem. That could soon change.
With the incidence of such crimes on the rise, along with consumer outrage — more than 180 million computer files containing such sensitive information as Social Security numbers, birthdates, credit card numbers, and financial or medical histories have been poached since early 2005 — legislators around the world have introduced bills that would hold organizations more accountable for safeguarding confidential information. In the United States, the most punitive proposed law, sponsored by Senators Arlen Specter, Republican from Pennsylvania, and Patrick Leahy, Democrat from Vermont, would require that companies with at least 10,000 digital files on individuals design a security system to protect sensitive records from unauthorized access. In addition, these companies would have to publish their data privacy procedures and conduct routine audits to evaluate vulnerabilities. Failure to follow these rules would result in fines and possible federal prosecution.
If this bill passes in anything near its current form, it could have a Sarbanes-Oxley–like effect on companies. Faced with this possibility, CEOs can no longer neglect the potential impact of data theft on customer loyalty, Wall Street confidence, shareholder support, litigation, and regulatory compliance.
The information technology departments of many corporations have been trying to get ahead of data theft for more than a decade. Encryption — the scrambling of data using a secret key — continues to be the standard approach for protecting information that travels over the Internet or is sent outside the company’s protective firewall to remote laptops, PDAs, and cell phones. Intercepting transmitted data is still perceived as the primary threat. In most companies, it remains the area of greatest security focus. But it is also the least likely way data will be lost or stolen.
Data can be viewed as existing in one of two states: dynamic (or moving) and static (or fixed). For every transaction involving dynamic data, there are millions of records in a static mode sitting on hard drives, magnetic tapes, CDs, and DVDs, in memory sticks and cards, and in mobile equipment like laptops, PDAs, and BlackBerrys. These records are almost never encrypted. So it is not really surprising that most data theft isn’t the work of hackers breaking into corporate networks. Digital thieves most often intercept unencrypted static data as the hardware it is stored on travels to remote storage sites, or they steal the data from portable devices.
In the last 18 months, dozens of organizations have been victimized in this way. In May, it was revealed that the U.S. Department of Veterans Affairs lost 26.5 million military records stored on a laptop that was stolen from the home of an agency employee. This came on the heels of similarly low-tech incidents at Wells Fargo, Ernst & Young, Fidelity Investments, the University of Pittsburgh Medical Center, and the University of Washington Medical Center.
Nevertheless, IT units have, on the whole, chosen to leave static data unencoded. Meanwhile, the urgent need to address this vulnerability continues to grow. While so many files remain unencrypted, the cost of computer storage is plummeting, allowing organizations to maintain vast amounts of data for longer periods of time more cheaply than ever before. Many companies now house multiple terabytes of data (one terabyte is 1,000 gigabytes), and petabyte volume is just around the corner. That’s a lot of data sitting defenseless.
The main reason is that it’s more expensive to protect static data than dynamic data because it involves modifying the hardware or software on every storage device. To encrypt data on personal devices, such as personal computers, the encryption software is usually inserted between application programs and the disk drives. As data is recorded on the storage device, it is intercepted and encrypted, and the encoded information is written to the disk. The cost of adding encryption to individual PCs and mobile equipment could exceed the cost of encrypting the company’s entire data center. And businesses traditionally balk at paying for infrastructure initiatives when they see little functional benefit.