After reading the explanation in the paper from the Governor of South Carolina after their recent data breach of an almost unprecedented scale (See Data Breach), I felt compelled to address some of the blatant misconceptions in the Governor’s response that I hope is not the norm for most business and governmental leaders.
First who needs to encrypt data? If you store Personal Information, PI, or Personal Health Information, PHI, you need to encrypt your data. Encryption is always the first line of defense against a law suit if you have a data breach and your data is stolen. The de facto standard for data care in the absence of a national privacy law falls on the HIPAA and Hi-tech Regulations. Even though these regulations specifically deal with PHI, they are more and more being interpreted by the courts as a benchmark standard for securing all types of sensitive information.
If you decide not to encrypt data, the HIPAA Security Rule states you may implement an equivalent solution (Whatever that might be?) to meet the regulatory requirement but encryption is still considered the next best thing to not storing sensitive data in the first place.
Also, contrary to Governor Halley’s statement that encrypting data was “too complex and cumbersome” to do – recent advances in encryption technology have made encrypting data much easier even over multiple networks and platforms (See “Lies We Tell Our CEO’s….” by Erica Chickowski).
Lastly, I do agree with Governor Haley that there is some inevitability in whether or not you become the target of a cyber attack (Although hopefully if you do have an attack I certainly hope you don’t lose 3.6 million social security numbers and 657,000 business tax returns!). So after you have locked away your data to the best of your ability, remember that everyone needs cyber liability insurance. Eventually it will be a standard part of every policy but for now we do have some very good stand-alone cyber products available to you that are very affordable. Don’t put off that discussion with your agent any longer!