This past week I have been reading about the data breach in
South Carolina. Hackers gained access to the records of the Department of
Revenue and 3.6 million South Carolina Taxpayers data. Data ranging from Social
Security numbers to home addresses was available.
In the days following the notice of the breach the Governor Nikki
Haley has spoken about the data not being encrypted. In her comments she stated
that “The industry standard is that most Social Security numbers are not
encrypted. A lot of banks don’t encrypt. A lot of those agencies you might
think encrypt Social Security numbers actually don’t. It’s not just that this
was a DOR situation, but an industry situation.”
For the past ten years I have tried to bring to the
attention of the public that data exposure is a real problem. In California
where the first data breach notice law was created, the standard is that if the
data is encrypted then notice is not needed. This was included to provide
business with a security step that would make encrypting the data a more cost
effective option.
There are numerous ways to encrypt the DOR data and still
allow DOR personnel to use it. I wonder if the Governor considers paying for
3.6 million people to have credit report monitoring is more cost effective. We
are rapidly approaching the point where those who have a breach, and had not
taken the step of encrypting the data, will find themselves discussing the
standards in front of a jury of their peers.
No comments:
Post a Comment