Over the past several years, governments have taken action to assist victims and require organizations to comply with minimum preventive personal privacy security standards and public data breach disclosure and reporting requirements.

Encryption is another effective weapon that IT departments can use to protect sensitive information, help prevent identity theft, help bring their company in line with government regulations and industry standards, and help reduce the risk of exposing their company to potentially devastating financial impacts of data security breaches.

Government and Industry Regulations Continue to Evolve

Over the past 10 years, both government and industry have been applying pressure to ensure improvements in safeguarding consumer information. These measures include, but are not limited to, financial services organizations, public companies and health care providers.

More recently, the number of US states adopting consumer protection legislation intended to better protect their residents' personal and financial information has grown. "In the U.S., more states are passing laws pertaining to data privacy and security. Thirty-eight so far have laws on the books related to breach notification", according to the Ponemon Institute's Mike Spinney. As you'll note later in this article, the number of states has now reached 39.

How did we get here and what does it all mean for IT security?

The Gramm-Leach-Billey Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Billey Act" or GLBA, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.

The Safeguards Rule requires all financial institutions to "design, implement and maintain safeguards to protect customer information". The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

Safe Harbor

The European Commission’s Directive on Data Protection that prohibits the transfer of personal data to non-European Union nations that do not meet the European “adequacy” standard for privacy protection went into effect in October of 1998. In order to provide a streamlined means for U.S. organizations to comply with the European Commission's directive, the U.S. Department of Commerce developed the "Safe Harbor" framework to provide organizations with the information they need to evaluate – and join – the Safe Harbor.

The basic requirements of Safe Harbor are that "Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction."

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley Act of 2002 was enacted in response to a number of major corporate and accounting scandals (such as Enron). The Act contains 11 titles, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on compliance requirements.

While many in IT security have debated whether SOX's Section 404 (which relates to IT practices) imposes specific IT policy compliance with regard to the security of information (the original intent was focused on the integrity or reliability of financial data), it's clear that the overall intention of SOX was to put better financial controls in place, and some would argue that improving IT security is in concert with the intent of the act.

HIPAA

In order to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the "Security Rule", specifically titled “Security Standards for the Protection of Electronic Protected Health Information” was adopted. HIPAA's Security Rule provides Technical Safeguards standards intended to represent good business practices for technology and associated technical policies and procedures within an organization covered by HIPAA regulation.

The Security Rule defines technical safeguards as “The technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Covered organizations were required to be in compliance by April 2005, except small health plans, which were given an additional year to come into compliance.

The Security Rule includes an Access Control standard that requires covered entities "Implement technical policies and procedures for electronic information systems...to allow access only to those persons or software programs that have been granted access rights..."

The Security Rule does not identify a specific type of access control method or technology to be used, but includes:

• Unique User Identification (Required)
• Emergency Access Procedure (Required)
• Automatic Logoff (Addressable)
• Encryption and Decryption (Addressable)

States Get in the Act

States across the country are enacting laws to protect the privacy of their citizens and require companies to notify affected consumers when data security has been breached.

California

The state of California enacted its Security Breach Notice - Civil Code sections 1798.29, 1798.82, and 1798.84. This law requires a business or a State agency that maintains unencrypted computerized data that includes personal information, as defined, to "notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Like most states that are adopting similar laws, the type of information that triggers the notice requirement is an individual's name plus one or more of the following:

• Social Security number
• Driver's license or California Identification Card number
• Financial account numbers
• Medical information or health insurance information

The Latest - Massachusetts

Massachusetts recently became the 39th state to enact a data security breach notification law, the “Breach Notification Law”. Like California, Massachusetts law defines “personal information” as including a resident’s first and last name or first initial and last name in combination with any one or more of the following data elements that relate to the resident:

• Social Security number
• Driver’s license number or Massachusetts identification card number
• Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password that would permit access to a resident’s financial account
• A biometric indicator

Massachusetts' law gets a bit more specific than California's because it provides that if the personal information involved was encrypted using 128-bit or higher algorithmic encryption and the encryption key was not compromised, notice of a security breach is not required.

While this demonstrates that lawmakers are coming to grips with the problem, it can also provide a new set of problems that can result from sometimes conflicting state requirements for those businesses with customers in more than one state. It should be noted, though, that the trend is to require notification if data was not encrypted or if it was encrypted, only if the encryption key was compromised.

Increasingly Portable Technology Brings Additional Risk

With portable computing devices becoming the rule and not the exception, the risk of data loss is increasing. Data stored on laptops or USB drives can easily be compromised when these portable devices are lost or stolen. Because they're small and portable yet provide an ever-increasing amount of storage space, USB drives can be great for users but they present additional security challenges for IT staff. Because they're small, they're also easy to lose or steal.

In a McAfee-sponsored survey, 55 percent of respondents claimed that they regularly brought documents out of the workplace on a USB drive. Of those, 17 percent admitted they accidentally left their USB drive in a public place.

Including Encryption in Your IT Security Strategy

If encryption is not already part of your IT security strategy, it should be. Robust solutions, such as McAfee's new Encrypted USB and Total Protection for Data suite, are excellent tools for securing devices and data anywhere, anytime.

McAfee's Portable Storage Solutions - Encrypted USB

To prevent a very useful storage device from becoming an out-of-control IT security nightmare, McAfee's Encrypted USB drives help prevent data stored on Flash drives from leaving your company’s control. McAfee Encrypted USB storage devices use powerful encryption technology and strong access controls to ensure that information copied and stored on them is safe and can only be read by authorized persons.

With McAfee's Encrypted USB, data is automatically encrypted “on the fly” with virtually no impact on performance and is transparent to the user, so no interaction or training are necessary. Each Encrypted USB storage device is capable of supporting multiple end users who can maintain their own secure, password-protected partitions. Administrators can also create an optional “public area” in which to store information that doesn’t need to be encrypted.

Centralized management enables you to centrally define and enforce securities policies to ensure data stored on devices remains protected in case they are lost or stolen. It also allows you to deploy and manage any number of Encrypted USB storage devices and users. Further, you can use an existing Microsoft Active Directory implementation in order to match users to their respective Encrypted USB devices.

McAfee's Encrypted USB also provides extensive auditing capabilities, which can be invaluable if you ever need to prove that a USB device was encrypted at the time it was lost or stolen. It also allows you to recover user passwords centrally through a challenge-response mechanism. So even if a user leaves the organization, you can always access the data by performing a device rescue.

McAfee's Total Protection for Data Suite

Total Protection for Data incorporates the best of recently-acquired SafeBoot's strong encryption technology with authentication and policy-driven security controls to protect data in use, in transit, and at rest. Advanced reporting capabilities can be used to help meet privacy mandates, ensure “Safe Harbor” protection, and demonstrate compliance with government and industry regulations as well as internal and external auditors, board members, and other key stakeholders.

McAfee's new suite combines Data Loss Prevention (DLP) with enterprise-grade device encryption (whole-disk encryption and persistent file and folder encryption.

Data Loss Prevention

With the Data Loss Prevention features in McAfee's Total Protection for Data suite you can:

• Control how users send, access, and print sensitive data over the network, through applications, and onto storage devices
• Stop confidential data loss initiated by Trojans, worms, and file-sharing applications that hijack employee credentials
• Protect all data, formats, and derivatives even when data is modified, copied, pasted, compressed or encrypted

Whole-Disk Encryption

With the Full-Disk (also referred to as "Whole Disk") encryption features in McAfee's Total Protection for Data suite you can:

• Automatically encrypt entire devices without requiring end-user action or training, or impacting system resource
• Enjoy full-disk encryption support for multiple standard algorithms, including AES-256 and RC5-1024
• Identify and verify authorized users using multi-factor authentication

Read more about whole disk encryption.

Persistent File and Folder Encryption

Persistent file and folder encryption allows you to:

• Ensure files always remain encrypted when not in use by automatically adding a file header that travels with protected files no matter where they go
• Keep files and folders secure wherever they are saved, including on local hard disks, file servers, removable media, and even as email attachments

McAfee Endpoint Encryption (formerly SafeBoot® Encryption)

You can also protect your company’s mission-critical information with McAfee Endpoint Encryption. Endpoint Encryption offers two forms of encryption to protect data from unauthorized access wherever it is stored or travels:

• Full-disk encryption helps ensure that information remains secure when it’s stored on desktops, laptops, tablets, and other mobile devices
• File and folder encryption lets you control which specific file types and folders are encrypted—and ensure they stay encrypted regardless of where they are saved using Persistent Encryption Technology^™

Like McAfee's Encrypted USB, encryption happens transparently and “on the fly,” with virtually no system performance degradation. There’s also no user interaction or training required. As a result, you never miss a beat to keep your data protected.

When users start up their PCs, they are met with two-factor authentication before their computers can boot up. Authentication factors can be the combination of a password challenge and possession of a smart card or token or may include other authentication options. And, with single sign-on, once authenticated, users have access to all the information they need.

Like Encrypted USB, Endpoint Encryption includes centralized management features, including auditing and reporting capabilities.

Get Your Encryption Game Plan Started Today

Make encryption part of your IT security strategy. Start by contacting a CopiaTECH Encryption Security expert today!

Related Articles

• What is Encryption?
• Whole Disk Encryption
• See All Encryption Topics