Latest Round Of Data Thefts Highlight Need For Mandatory Encryption Of Personally Identifiable Information
So by now many of you have heard about the intrusion and data theft that took place with Sony’s PlayStation Network. A few weeks before that you heard about another major data theft involving seemingly every major company you can think of. At this point it seems that no credit card info was compromised in either theft which is good but your personal information was (they are still evaluating the theft in the PSN case and credit card data may have been stolen as well). These latest incidents and others like it send a very clear message to me and that is we need to do more when it comes to the protection of user data.
Today, most companies as standard practice don’t encrypt personally identifiable information or PII (email,phone number, address, etc) while they almost always encrypt credit card and purchase info. The thinking was that while the possible loss of PII was an annoyance, the loss of credit card info could expose them to real legal liability. The rash of recent data thefts has highlighted a need to mandate that all PII and purchase info be encrypted (both at-rest and in transport)a. When companies don’t encrypt your data then it’s stored in the database in something called plain-text. This is where the problem is, the data needs to be encrypted in the actual database which is often referred to as the encryption of data-at-rest. Today, most companies try to focus on the fact that the data is not transmitted in clear-text or “in the clear” making the data vulnerable to theft during transmission. People commonly get this confused, but the fact is that in this scenario the data is only encrypted during transmission and is stored in plain text at the origin point and at the destination point and that just isn’t good enough anymore. In this scenario, a criminal couldn’t steal your data in transit using a packet sniffer but if they got access to the data on either end of the transport then they have everything they need. From there once they gain access to the database they can easily export that data to a spreadsheet and sell it to the highest bidder.
At this point you are probably thinking then why the heck don’t companies just encrypt all my data. Honestly, there is no real technical reason why they can’t. It would take a little bit more work on their part from an integration standpoint but for the added piece of mind to the consumer I think it is a small price to pay.