Do You Encrypt Your Data? A Plea to Businesses

Recently I became a victim of identity theft. Criminals gained access to my name, address, date of birth, driver’s license number, social security number, and bank account number. I’ve spent the last 10 years marketing Internet security solutions, but now I know firsthand how painful it can be to individuals when a data breach occurs.

How did they get my personal information? Working in the security industry, I’m pretty careful. I’m good at recognizing phishing scams; emails that use various ploys to get you to reveal your personal information (see this paper I co-authored on the Anatomy of a Phishing Email). I rarely provide all of that personal information at one time, I don’t keep it stored on my computer, and I don’t even keep documents with all of that information in the same place. I also shred any personal mail. (For my tips to consumers on how to protect against identity theft, see my blog post on Trend Micro Fearless Web that covers preventative measures). So my guess is that a company I do business with got hacked—and they probably don’t even know it.

What did the cybercriminals do with my personal information? They created a fake driver’s license, walked into bank branches in Southern California, and emptied my checking account (I live in Northern California). Then they made counterfeit checks with my account number and somehow cashed these checks, overdrawing my account. At the same time, they created another fake driver’s license and someone in Lexington, Kentucky opened new accounts in my name with various retail stores—including Target, Victoria’s Secret, and AT&T Wireless.

All together, they got away with over $13,000 in money and goods from banks and retailers—and they did all of this in just a couple of days. Thanks to a call from Target that questioned the account application, I found out early enough to freeze any new accounts. I have spent countless hours and heartache trying to gain control of my accounts and credit again. I would have been spared this nightmare if my personal information had simply been encrypted. And I would not be questioning my business relationships. With today’s explosion of data in physical, virtual, and cloud servers and endpoints, many of us at Trend Micro have recommended encryption in this blog. But now my recommendation is much more personal. I am pleading with companies to please encrypt sensitive data.

I’m guessing that the organization that was hacked is unaware because I have not received a notification that my personal information was accessed. In the U.S., the vast majority of states have security breach notification laws that require this disclosure. However, many of these laws have a safe harbor exception if the personal data acquired was encrypted. One example is new notification requirements in California that went into effect on January 1, 2012, for “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person”. The law specifies the information that must be included in customer notifications and requires that a copy of the notification be sent to the Attorney General if more than 500 customer records are breached—but all of this can be avoided if a company uses encryption. And this is just one example. Forty six states have security breach notification laws as well as many other regions around the globe.

Trend Micro has encryption solutions for data stored on physical, virtual, and cloud servers, email, and endpoints. These solutions can help avoid notification requirements, but, more importantly, encryption can help to preserve a business’s reputation and customer relations. After becoming a victim of identity theft, I changed banks and I’m questioning my use of numerous businesses. (Read my blog on Tips for Limiting the Damage to get a small feel of the aftermath and what is required to regain control of your identity). If my personal information had just been encrypted, I would have been spared this nightmare. I don’t know where my personal information was compromised, but before I do business with anyone that might store my personal information I’m going to ask, “Do you encrypt your data?”