Policy by the Numbers: Protecting personal data through encryption is not enough

Protecting personal data through encryption is not enough

Monday, December 12, 2011

Everyone worries about companies losing their customers’ data. Consumers are upset when their private data is exposed, and rightly so. Firms fret about the potential legal consequences and costs of security breaches, which on average decrease their market capitalization by 2.1%. Policymakers feel they should do something to limit this market failure, but what?

One solution that looks like a one-size-fits-all easy fix is encrypting consumer data. In theory, encryption should be foolproof because it means data cannot be read without an encryption key. Many laws currently offer firms “carrots” to use encryption. For example, firms do not have to send out costly notifications to consumers about lost data if the lost data was encrypted.

My research (also found on SSRN) with Amalia Miller of the University of Virginia and RAND investigates how effective encryption regulation has been in reducing the risk of data breach. We focus on healthcare because there is data on encryption software adoption and publicized data breaches in that sector, and because medical data is especially personal.

Surprisingly, we find empirical evidence that when hospitals adopt encryption software, it does not reduce instances of publicized data loss. Instead, adopting encryption software makes publicized data losses more likely, particularly instances of data loss due to negligence or internal fraud. The result is a moral hazard: firms using encryption software are more careless about controlling internal access to encrypted data and their employees are more careless about computer equipment containing encrypted data. Losing a computer with encrypted data might matter a lot, especially since employees often keep the key with the encrypted data or lose the password, compromising the encryption.

We therefore recommend that encryption software is not the answer when it is the only security measure a firm takes. Instead, firms should use a broad set of practices, including training and awareness programs, manual procedures and controls, and strong identity and access-management deployments. The fact that encryption software adoption is associated with an increase in fraud may suggest that firms relying on encryption software often do not also deploy effective data access controls.

Our findings matter for policymakers because safe harbors for companies that encrypt their data are at the heart of the recently proposed federal bills governing the security of data. Encryption only works as well as the firm's ability to protect the password or key. By promoting this seemingly easy technological solution in isolation, while failing to promote additional human-based processes that complement encryption's effectiveness, giving a safe harbor to encrypted data may not have the intended effect.

posted by Catherine Tucker, Douglas Drane Career Development Professor in IT and Management and Associate Professor of Marketing at MIT Sloan School of Management

Policy by the Numbers

Protecting personal data through encryption is not enough

No comments :

Labels

Archive

Feed

Disclaimer

Company-wide

Products

Developers