Problem

A slew of well-publicized security breaches has executives wondering: Could I be next?
For many Americans, the first shoe dropped on Feb. 15, 2005, when ChoicePoint Inc. announced that identity thieves had created 145,000 bogus accounts. Ten days later, the second shoe landed: Bank of America Corp. lost a backup tape containing 1.2 million customer records.

Suddenly it seemed as if security breaches were raining down like bombs, and corporations seemed powerless to stop them. From the ChoicePoint breach until now, the Privacy Rights Clearinghouse has documented dozens of serious breaches and hundreds of smaller ones, from the theft of a computer containing the personal records of 28.6 million U.S. veterans to the hacking of credit-card processing company CardSystems Solutions Inc., which potentially compromised data on 40 million consumers.

Consumers, business partners and legislators are outraged. And corporations are worried. Executives have little interest in finding themselves in the hot seat at a Congressional hearing, or worse, at the defense table at a civil or criminal trial. Meanwhile, legislators have proposed a variety of bills aimed at protecting citizens' privacy, though nothing has yet passed Congress. Among the bills still in committee is the Financial Data Protection Act (H.R. 3997), which would allow companies that encrypt their data to take that into consideration when determining if a breach should be publicized.

Despite the consumer uproar and congressional fulminations, corporations aren't rushing to encrypt their sensitive customer data. According to a survey of 227 North American-based security professionals from organizations with at least 1,000 employees, conducted in March 2005 by Jon Oltsik, an analyst at the Enterprise Strategy Group, only 36 percent use encryption. "By far, the two most important reasons companies have not yet implemented encryption are cost and worries about decreased performance," says Oltsik. Cost was cited by 64 percent of all respondents, and overall system performance by 60 percent.

Experts agree that encryption technology itself is pretty much foolproof. If the consumer data lost or stolen in the recent high-profile incidents had been encrypted, thieves would have ended up with nothing. The National Institute of Standards and Technology says a code-breaking super-computer would require 149 trillion years to decrypt a 128-bit encryption key. Who wouldn't want that kind of protection?

What privacy regulations govern our industry and those of our business partners?

How do you rate the negative effect on the organization of various types of data losses?

Story Guide: