After Anthem Hack, What GCs Should Know About Encryption
Anthem Blue Cross, one of the nation's largest health insurance providers, revealed yesterday that its computers had been hacked, resulting in access to the records of millions of customers. This information included birthdays, Social Security numbers, addresses, and lots of other data that would be great if you wanted to steal someone's identity.
The Wall Street Journal reported that Anthem didn't encrypt the data that it kept in its own systems, which is really a rookie mistake. Sure, the law didn't require Anthem to encrypt the data, but that's no excuse. If your company is already encrypting data, good for you! You get a sticker. But if the company isn't, it's time to take a walk with the CTO and explain why you should.
Here are three things in-house lawyers should know about encryption:
1. It's a Really, Really Good Idea.
According to the WSJ, hackers were able to readily access Anthem's data because they weren't encrypted. Although apparently that's not a legal requirement, it's a common sense requirement. Sensitive data -- which includes Social Security numbers, names, and addresses -- must be kept as secure as possible. A simple password wall just isn't going to stop a determined hacker (and your password wall probably isn't all that secure, anyway).
While encryption isn't necessarily a guarantee that a company's data are safe, it's a big deterrent to stealing information. A hacker would much rather go after information stored in clear text that can be accessed with a simple password than deal with decryption. It's the difference between having an alarm system at your house and not.
2. It's Not That Expensive or Time-Consuming.
Although an unnamed source told the Journal that Anthem didn't encrypt data because "those things slow companies down, sometimes to a degree they find unacceptable," and because it "would have made it harder for Anthem employees to track health care trends or share data with states and health providers."
That's a bunch of baloney. Companies that store even less-sensitive data than health care information encrypt their data. Believe it or not, companies involved in consumer marketing also encrypt their data (and they make their vendors do it, too, if they're handling that data). But for some reason, health care information isn't as important as that?
The cost of encryption has gone way down in terms of the cost of back-room equipment to handle encryption and the time and expense of decryption (computers are a lot faster than they used to be). You don't need a supercomputer to keep data secure. Have an iPhone with a passcode on it? Guess what: The data are encrypted. Yeah, it's that easy.
3. Simple Passwords Don't Cut It Anymore.
Corporate security departments need to think about security in terms of thieves trying to get in. A single point of failure means that all the thief has to do is focus on that one point, and he'll have access to everything. (If Lord of the Rings analogies are more your forte, remember how the bad guys got into Helm's Deep?)
Maybe you've seen people walking around with an "RSA" fob on their key ring? That little device is called RSA SecurID and it's used for two-factor authentication to sensitive information, the same way you can set up two-factor authentication for your Gmail account. If it had been employed at Anthem, then hackers likely wouldn't have been able to access sensitive data with just a stolen password; they would have needed the RSA fob as well.
Whatever you think it might cost to encrypt data, that cost pales in comparison to the cost of lawsuits, fines, and loss of goodwill that comes from hacking.
Related Resources:
- China to Blame in Anthem Hack? (Krebs on Security)
- The Impact of a Data Breach Can Be Minimized Through Encryption (Security Intelligence)
- Google Likes Encryption; Joins Yahoo in 'Spy-Free' Email Project (FindLaw's Technologist)
- In-House Attorneys' Game Plan for Data Breaches and Cybersecurity (FindLaw's In House)