Digital encryption technology has been recently subjected to public pressure and oversight by Congress, Federal Courts and law enforcement agencies. In the wake of the San Bernardino terrorist attacks and the ongoing public struggle between Apple and the Federal Bureau of Investigation over access to encrypted iPhone contents, it was revealed that the company does have the potential capability to design a “backdoor” software tool that would permit its holders access to the decrypted device contents of nearly any iPhone. Even without this affirmation, the existence of vulnerabilities within commonly used technologies is well supported by the increasing frequency of headline-generating reports of breaches spanning numerous technologies and industries. It is no longer a matter of “if,” but rather “when” a breach or vulnerability will occur. Below are three lessons that any security-conscious CIO, IT professional or records manager should keep in mind.
Never take security assurances for granted. Guarantees of “impenetrable” security or “unbreakable” encryption are often as much grounded in economic and advertisement expediency as they are in technical realism. Encryption technology should be regarded as merely one line of defense within an overall security strategy, rather than as a security panacea or a guarantor of protection. Managing information security requires a continuous, ongoing effort involving a convergence of people, practices, and technologies acting in cooperation. Placing too much reliance on a single security product or service is never wise.
While imperfect, encryption remains best practice. Public awareness of encryption is at an all time high. More and more consumers are demanding the benefits of encryption for their private data. Meanwhile, customer data is an increasingly important driver of business value, and enterprises are storing it in ever larger quantities. Privacy laws commonly contain safe harbor provisions that protect holders of personally identifying data when encrypted; failure to take reasonable steps to safeguard personal data can severely damage reputation and goodwill, or result in civil liability or regulatory sanction. Accordingly, a baseline best practice is to protect all essential documents, information, and personal data with encryption technology.
Get back to security basics. Experts estimate that backdoor brute force attacks could succeed in cracking an encrypted iPhone that uses a standard 4-digit password within minutes. But for 6-digit passwords, hours are required, and for 10-digit passwords, years. Traditional electronic security strategies like lengthy randomized alphanumeric passwords, offline “cold” data storage, and sharply limiting numbers of authorized users accessing data remain important safeguards even in an encrypted environment. Augment your protection with additional redundant measures such as two-factor or physical token authentication in order to create multiple layers of co-dependent security.
Understanding how to best protect your data is important, as is knowing exactly how, where, and for how long it can legally be used. To learn more about how companies are collecting and storing personal data, and the legal destruction requirements that go along with the practice, read Anonymization and Compelled and Compelled Destruction Requirements for Companies.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.