The (Encryption) Key to Dealing with Data Insecurity
Valuable data stored in the cloud is sure to be a target. What can be done to make it harder to steal?
Wed, November 28, 2012
The first problem that we lawyers have when we hear "data" and "cloud" used in the same sentence is that data is valuable, and the cloud concentrates that value. Having large amounts of business and consumer data stored on Internet-connected servers tends to attract the wrong sort of attention. To paraphrase Willie Sutton, this happens because large storage providers are where the data is. Fortunately, the largest providers (like the banks that drew Sutton's interest) know this, and so they build strong walls and safeguards to secure the ever-increasing amounts of data they are contracted to store.
But as the amount of stored data increases, the law of large numbers predicts that the number of attempted and successful intrusions will rise as well. And so it has. For instance, from January 2009 to February 2012, there were approximately 300 publicly reported data breaches, and an unknown but likely larger number of unreported incidents. The Identify Theft Resource Center reported that hacking represented over 30% of the data breaches recorded during the first six months of 2012, on pace for a record year.
The second problem is that the damages from a data breach can be breathtakingly large. Even if a business merely suspects a security breach, the costs begin to pile up. First, the task of discovering the nature of the breach and the extent of the damage will require technical and legal experts and their associated fees. If the investigation requires critical servers to be taken offline, then any lost revenues will add to the total. Further legal assistance will be required to evaluate the potential liability (especially if any sort of financial or healthcare data is involved), analyze mitigation strategies and navigate the patchwork of federal and state laws related to data privacy and security. Notification of customers and associated remedial measures, including arranging for data theft insurance for affected individuals, will also not come cheap. Finally, there is the unquantifiable reputational damage from the publicity surrounding such an event -- the affected business may need to undertake broad marketing campaigns to overcome the negative impressions and win back customers.