The Value of Encryption
In the insurance world, insurance companies like to explain in fairly fuzzy language exactly what they will insure and then in very specific language describe what they won’t cover by using a list of policy exclusions. I recently issued a cyber liability policy that contained the following Exclusion:
“For, arising out of or resulting from any theft of, loss of, or parting with, any portable computing device or media containing data in electronic format, unless the data is stored on such device or media are stored in an encrypted format.”
In plain language – this means if you lose a laptop, smart phone or hard drive with unencrypted data on it then the insurance carrier will not pay for the claim. Sounds like that is a strong and compelling reason for you to encrypt the data on anything that might be lost or stolen off your premises. Even though we all know that the NSA can unencrypted most all types of encrypted data, I suspect we will start seeing this or similar language on every cyber liability policy so you should start working on a way to comply.
To get an idea of what the best encryption software is please take a look at this blog post on Full Disk Encryption, FDE, on eSecurityPlanet.com. According to the author, Paul Rubens, FDE is the best way to protect a laptop – period! Paul then describes a list of software packages that utilizes FDE to encrypt all the data on the disk. It looks to me like every major data security vendor has software that would protect you from a lost laptop.
That leaves us with a solution for everything but our tablets and smart phones. I will try to address that need in my next post.