Following the report earlier this week that a laptop containing 13,000 BP claimants’ personal data was missing, Jaikumar Vijayan reports that data breaches involving unencrypted laptops and portable drives continues at inexcusably high rates:
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial portion of breaches these days…. a distressingly large number of companies have continued to ignore the advice — some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
“There really is no excuse for not encrypting laptops,” said Avivah Litan, an analyst with Gartner.
Read more on Network World.
Clearly, as my occasionally snarky comments on this blog and phiprivacy.net suggest, I agree with the analysts quoted in the news story. For how many years will we continue to read that entities were “in the process of encrypting” at the time of a breach, or now that they’ve had a breach, the entity is “speeding up” its efforts to harden their security and to use encryption. Encryption meeting NIST standards offers safe harbor for HIPAA-covered entities and can save time and money in terms of the costs of a breach. Would entities really rather spend $10-$15 per person offering free credit monitoring after a breach, or should they invest much less in preventing the breach? And how much is brand harm or bad press worth? Isn’t it worth the cost of encrypting your laptops and thumb drives?
Entities that collect information need to protect it. Anything else is just playing fast and loose with our information and our privacy and should incur fines or penalties. The “grace period” should be over.