Every organization in business today is holding personal information about individuals. Whether they are consumers, customers, clients, patients, employees, or business partners, you collect a mass of personal information about them, such as Social Security numbers (SSNs) and other government-issued identifiers, consumer reports, background checks, test results, medical files, financial or health information, and perhaps even biometric data.
Forty-six states, the District of Columbia, the Virgin Islands, Puerto Rico, the Federal Trade Commission, Federal Financial Regulators, and the Department of Health and Human Services all have adopted some form of notification requirement that will obligate you to notify individuals if their information is affected by a security breach. You also may have to notify regulators, consumer reporting agencies, and the media, depending on which laws are implicated. But these laws, despite their diversity on other topics, all have one thing in common: if the data affected was encrypted and the encryption key was not compromised, the breach does not have to be reported. With the average security breach estimated to cost $6.75 million (according to the Ponemon Institute’s 2009 study on the topic), is it any surprise that organizations are rushing out to purchase encryption solutions for their laptops, thumb drives, PDAs, and even internal systems? In fact, encryption is required in certain circumstances by HIPAA, Nevada state law, Massachusetts regulations, and numerous state laws governing use of SSNs.
But before you hurry out to snap up the first encryption package a vendor dangles in front of you, please make sure the solution will actually provide the “magic bullet” you are seeking. Be aware that the laws at issue vary in what they are willing to consider “encryption.”
Please see full article below for more information.