Standford University is the latest large organisation to be involved in unintentional leaking of personal data. A laptop was stolen that contained the personal details of 62,000 former and current employees. The data included:-
- Name, gender, date of birth
- Social Security number
- Salary, business title, office location, office phone number, and e-mail address while employed by Stanford
- Home address and phone number while employed by Stanford
- Stanford ID card number and Stanford employee number
Oh dear!!! With all of that data identity theft is very, very easy.
Stanford seems to be reacting in a very professional and open manner, which is good. The reason for my post is about data encryption. Over the years while working for corporations I have been involved in many discussions around handling of sensitive data and the issue of using encryption boils down to a couple of major topics.
Firstly encryption tools can difficult for the average computer user to use. Second once encrypted movement of the data is made difficult (I know that’s that point) which makes ongoing use of the data by people who need access problematic.
The first reason is solvable via training but still if you don’t use the encryption tools regularly issues still pop up, and they will late on a Sunday night before an important presentation the next day. That’s Murphy for you.
The second issue is more difficult. Person A needs to send data to Person B so it is encrypted using regular public key technology, nice and simple if only Person B needs to use the data. But what happens when more people need to access the data? Well Person A needs to re-encrypt with all of the require public keys. It is this step where things get nasty. If Person A is in another organisation on the other side of the world, in outsourcing not uncommon, it could take time. So Person B decrypts the file and shares it unencrypted, so that business can be done. Yes they could re-encrypt it but in most organisations this does not happen. Not to mention what happens when either person leaves their respective organisations.
As we move into a world of mashups, open APIs and other Enterprise 2.0 goodness security is going to be even more important and complex!