Policy by the Numbers
Data for policymaking from Google and friends.
Protecting personal data through encryption is not enough
Monday, December 12, 2011
Everyone worries about companies losing their customers’ data. Consumers are upset when their private data is exposed, and rightly so. Firms fret about the potential legal consequences and costs of security breaches, which on average decrease their market capitalization by 2.1%. Policymakers feel they should do something to limit this market failure, but what?
One solution that looks like a one-size-fits-all easy fix is encrypting consumer data. In theory, encryption should be foolproof because it means data cannot be read without an encryption key. Many laws currently offer firms “carrots” to use encryption. For example, firms do not have to send out costly notifications to consumers about lost data if the lost data was encrypted.
also found on
) with Amalia Miller of the University of Virginia and
investigates how effective encryption regulation has been in reducing the risk of data breach. We focus on healthcare because there is data on encryption software adoption and publicized data breaches in that sector, and because medical data is especially personal.
Surprisingly, we find empirical evidence that when hospitals adopt encryption software, it does
reduce instances of publicized data loss. Instead, adopting encryption software makes publicized data losses
particularly instances of data loss due to negligence or internal fraud.
The result is a
firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data. Losing a computer with encrypted data might matter a lot, especially since employees often keep the key with the encrypted data or lose the password, compromising the encryption.
We therefore recommend that encryption software is not the answer when it is the only security measure a firm takes. Instead, firms should use a broad set of practices, including training and awareness programs, manual procedures and controls, and strong identity and access-management deployments. The fact that encryption software adoption is associated with an increase in fraud may suggest that firms relying on encryption software often do not also deploy effective data access controls.
Our findings matter for policymakers because
safe harbors for companies that encrypt their data
are at the heart of the recently proposed
governing the security of data. Encryption only works as well as the firm's ability to protect the password or key. By promoting this seemingly easy technological solution in isolation, while failing to promote additional human-based processes that complement encryption's effectiveness, giving a safe harbor to encrypted data may not have the intended effect.
Douglas Drane Career Development Professor in IT and Management and Associate Professor of Marketing at
Sloan School of Management
No comments :
Post a Comment
Future of Music
Hangouts on Air
Internet of Things
Oxford Internet Institute
The authors of these posts include Googlers and guest bloggers. Opinions expressed here do not necessarily represent Google’s views. We hope the numbers presented will inspire meaningful conversations and inform policy debates.
Public Policy Blog
Official Android Blog
Lat Long Blog
Ads Developer Blog
Android Developers Blog