Encryption is a best practice that helps safeguard private data “at rest” (in the database). However, most companies don’t deploy encryption. Instead, they might say they use “compensating controls” instead of encryption, which include the tokenization or hashing of data. To find out more about the differences between encryption, hashing and tokenization and the relative advantages and disadvantages to each approach, we spoke with Winston Krone, Managing Director of Kivu Consulting, which offers investigation, discovery and analysis to businesses facing data breach incidents.
One benefit of encryption usage is that, should you have a future data breach incident, the data (in theory) is useless to the bad guy and therefore still protected. At the same time, it gives you legal “safe harbor” and license not to report the breach incident. Can the same argument be made for hashing/tokens?
It’s not the same argument. Of the methods, only encryption will help you avoid the state notification laws in a data breach situation. The other issue with tokenizing is that you still have to protect the whole token system under the credit card industry regulations so it’s not a simple alternative to encryption or the cheap panacea people thought it might be.
What else might executives need to know about their data security?
In an era of shrinking budgets and personnel cuts, it’s easy to tell the CEO that the company is encrypting data or using “encryption-like” techniques. The executive needs to ask the hard questions, about what type of encryption is being used because the IT folks might not understand the legal issues at hand. The decision of whether to use tokenization or hashing or encryption is not just a technical or cost issue—it’s very much a legal issue, so it’s a good idea to have counsel involved. The legal reasons for the method you choose may ultimately outweigh the cost. If you are attending the conference, feel free to introduce yourself to Winston or Richard.
Winston Krone was interviewed for the January 21, 2013 edition of the NetDiligence Junto Blog. The full interview is available at the following link.