'No One Told Me' excuse wearing thin
The fact that TalkTalk was not explicitly told to encrypt data was no excuse for not doing so, argues CipherCloud's Willy Leichter
We aren't legally mandated to lock our car doors when we park in public. We aren't required to check that the stove's off when we leave for work. And we aren't told to hold on to our kids when at the store. But we do these things because those preventative steps are prudent and make sense. Better to be proactive rather than risk theft, house fire or loss of a child.
So if most reasonable people behave that way when it comes to securing their own most valuable possessions, why should we hold companies and the people who run them to a lower standard when it comes to securing their customers' data?
Enter TalkTalk's claim, even after previous a data breach, that it is under no obligation to encrypt customer information because the EU Privacy Directive does not explicitly require encryption. In the absence of being told to encrypt, the service provider chose to wait and see, resulting in yet another breach that placed personal customer details at risk.
This failed strategy is a sharp reminder that government mandates are not the same as best practices. Nor should they be. Most privacy regulations use the language of "adequate" or "reasonable" levels of security; few mandate the use of specific technologies. Regulators shouldn't dictate technology because they move far too slowly. The EU Data Privacy Directive was drafted 20 years ago, and long awaited updates are still being debated.
While the letter of the law needs to remain flexible to accommodate inevitable changes in technology, the intent remains the same - to require that companies follow current best practices and adequately protect private customer data against today's risks.
On the practical sense side, the litany of major breaches in the last two years - JP Morgan, Sony, Target, etc - makes it obvious that companies can't afford to wait and see if they will be targeted. Having already suffered a recent breach, TalkTalk already knows first-hand the reputational damage that results in the aftermath. But inexplicably, it continued to neglect data encryption. Faced with a choice to do more, the vendor chose to do the minimum, relying on the lack of explicit legal requirements to implement specific security tools.
Given all of today's risks, and high profile breaches it's critical that service providers take proactive steps to secure their customers' private data and intelligently address risk mitigation. A few practical steps include:
• Use industry best practices - and as technologies and threats evolve, make sure you your defences remain state-of-the-art.
• Take every opportunity to reduce risks. Many other organisations, such as BT, follow PCI recommendations to always encrypt card information.
• Use the proactive protection of encryption to reduce your exposure and simplify compliance audits.
According the Gerard Stegmaier, a leading privacy expert with the global law firm Goodwin Procter, "the question is not why you should encrypt, but why wouldn't you?" Just because regulators don't explicitly tell you to encrypt sensitive data, doesn't mean that it's not expected as a "reasonable" best practice. In fact, most organisations entrusted with personal customer and PCI data choose to encrypt it whenever possible - not because they were told to, but because it's the right thing to do.
Willy Leichter is global director of cloud security at CipherCloud