U.S. Moves Ahead with Data Encryption Measures
33 million records. That's the number of consumer records that have been exposed so far in 2008, a record year for data breaches, according to statistics from the Identity Theft Resource Center , which tracks breaches reported by U.S. organizations. And that count may only be the tip of the iceberg; without a federal requirement for organizations to quantify the amount of consumers affected by data breaches, the real figure is likely much higher.
Erin Early of Lavasoft forwarded an interesting short article she wrote on U.S. data encryption laws.
33 million records.
That's the number of consumer records that have been exposed so far in 2008, a record year for data breaches, according to statistics from the Identity Theft Resource Center , which tracks breaches reported by U.S. organizations. And that count may only be the tip of the iceberg; without a federal requirement for organizations to quantify the amount of consumers affected by data breaches, the real figure is likely much higher.
With the fact in mind that over 80 percent of these breach events were due to electronic data breaches, it's little wonder that states throughout the U.S. are pushing to enact strong data security regulations to ensure that businesses protect sensitive customer data that is stored on computers or transmitted electronically via websites and e-mail.
Nevada is the first of several U.S. states to adopt new laws mandating that businesses better protect their customers' digital confidential information. As of October 1, 2008, Nevada law requires businesses in the state that engage in the electronic transmission of certain personal information -- including names and credit card numbers -- to encrypt such transmissions.
The law is affecting the way organizations do business, and presents unexpected hardships for many. Charity organizations, which often store vast amounts of confidential information -- including client names and addresses, as well as donor credit card information -- are among the hardest hit by the new mandate, forced to overhaul their data systems while still carrying out the vital work they do.
One such group affected by the law is the Foundation for Positively Kids (FPK), a non-profit organization dedicated to providing comprehensive care to medically dependent and terminally ill children in Las Vegas, Nevada.
"We are trying to take care of sick and dying kids -- why do I have to worry about a new Nevada encryption law?" Fred Schultz, CEO and founder of FPK, asked rhetorically in a recent NonProfit Times article which reported on the new requirements for secure transmission of donor and client information.
According to Schultz, the difficulty lies not in encryption itself, but in setting up the necessary security systems to accommodate the new law.
"All personal items on families we serve is sent or received by e-mail or fax. This must now be encrypted," Schultz said.
Organizations in Nevada are not the only ones affected by increased encryption measures. Massachusetts has recently enacted an even wider-encompassing data privacy and security measure than Nevada's. The law, which takes effect on January 1, 2009, includes encryption of data stored on laptops and other portable devices.
With Nevada's law in effect, and Massachusetts' legislation ready to move forward, other states are expected to follow with similar measures. Michigan and Washington state are also considering such regulations. At the same time, companies based outside of these states may also need to take heed of the new regulations; since the laws apply to out of state companies that operate or have customers within the state's limit, even specific state regulations have the potential to affect many.
"This may well be a telling example, indicating the type of legislative and accountability measures to come in the future. These types of encryption laws serve as a reminder of the importance of protecting personal information, and the steps that can be taken -- by both consumers and businesses -- to safeguard sensitive data. While encryption is not the only step that companies should be taking to protect private data, it is certainly a critical one," said Jason King, Lavasoft CEO .
"While these laws may present initial compliance issues for some organizations, the mandates are sure to trigger more awareness of the need to adopt security measures to protect private data, which is, ultimately, a positive step for consumers," King said.