When I cover data breach stories, sometimes the breached data appears benign on the surface. For example, a bunch of e-mail addresses are stolen. Now, most would argue that this is not personal information (I would readily agree) and that they don't really need to be protected. I myself feel divided over whether laptop encryption software is necessary for a portable computer that, as far as personal information goes, only includes e-mail addresses.
I'm divided, to be honest, because I think that my job is biasing my views. I feel that, yes, a database full of e-mail addresses ought to be protected via encryption. But, again, is it because it's good, common sense or because I work for a disk encryption program company? Consider the following situations where e-mail addresses and names were all it took to carry off a successful scam: Spam messages for Viagra and other pharmaceutical drugs, on-line banking, IRS tax refunds, etc. Monster.com job board members are scammed into downloading a Trojan that steals information and uses encryption for data ransom requests. While the e-mail addresses were not a directly responsible for potential financial losses, they were crucial for the scam to be successful. One might claim, well, all of those are instances of "social engineering" and the people getting scammed ought to have known better. Can you guarantee that some company, unbeknownst to you, won't make it easy to access your personal data if e-mail addresses and other benign data are provided?
I'm divided, to be honest, because I think that my job is biasing my views. I feel that, yes, a database full of e-mail addresses ought to be protected via encryption. But, again, is it because it's good, common sense or because I work for a disk encryption program company?
Consider the following situations where e-mail addresses and names were all it took to carry off a successful scam:
While the e-mail addresses were not a directly responsible for potential financial losses, they were crucial for the scam to be successful. One might claim, well, all of those are instances of "social engineering" and the people getting scammed ought to have known better.
Can you guarantee that some company, unbeknownst to you, won't make it easy to access your personal data if e-mail addresses and other benign data are provided?
This is an excerpt of an article I read today on zdnet.co.uk: On Comparethemarket.com, people who want to get a quote for insurance policies are required to enter a swathe of information... People are then prompted to enter an email address, surname and date of birth, to view the information provided during previous sessions. As critics of this practice have pointed out, all it takes is a data scrapping program running through Facebook and other social media sites to get this information. Or the breach of a massive data base of the same and similar information. I'm sure there are other companies that have the same lax (and badly designed) security practices; this is not to just harp on comparethemarket.com. Indeed, the ZDNet story also mentions a confused.com. Yes, they are (but not for long. The latter site is making changes based on the criticism). With situations like the above, doesn't it make sense to protect even trivial-looking information, say by encrypting an e-mail database? On the other hand, if people are going to allow their information to be posted for public viewing (such as in Facebook), does it matter?
This is an excerpt of an article I read today on zdnet.co.uk:
On Comparethemarket.com, people who want to get a quote for insurance policies are required to enter a swathe of information... People are then prompted to enter an email address, surname and date of birth, to view the information provided during previous sessions.
As critics of this practice have pointed out, all it takes is a data scrapping program running through Facebook and other social media sites to get this information. Or the breach of a massive data base of the same and similar information.
I'm sure there are other companies that have the same lax (and badly designed) security practices; this is not to just harp on comparethemarket.com. Indeed, the ZDNet story also mentions a confused.com. Yes, they are (but not for long. The latter site is making changes based on the criticism).
With situations like the above, doesn't it make sense to protect even trivial-looking information, say by encrypting an e-mail database? On the other hand, if people are going to allow their information to be posted for public viewing (such as in Facebook), does it matter?
Of course, by "trustee" I don't mean the legal definition of the word, but that an organization has been entrusted with something. If we consult the field of medicine, we can see they've got a weird trustee situation where, if the patient decides to make their maladies public, they're free to do so, whereas the attending doctor--or any doctor, nurse, paramedic, etc.--can't exercise such freedom. Even if he or she saw the patient tell the world about the condition five minutes ago, the physician is still prevented from saying anything unless the patient's OK is given, except in the most pressing circumstances. When you think about it, this is true for many different organizations. For example, a person can go around telling the world what his Social Security number is, but if the government were to post it on the internet, there'd be repercussions. It's the same for your bank account number and your banker. And then there's the white pages, where your name is not listed if you don't want it to. Under such a situation, you're able to tell people what your phone number is, but telephone company cannot (or at least, should not). I'm arguing, in a quite the roundabout way, that it doesn't matter what the individual decides to do with his or her own data. Companies that collect data, and pretty much promise to protect that data, have a duty to stick to what they've promised, regardless of the individuals' actions. And, if such a conclusion is deemed valid, then protecting e-mail addresses and other "benign" data as if they were sensitive info is necessary. With more and more security experts pointing out that phishing e-mails are impossible to differentiate from the real stuff, I can see at least one reason why a company ought to encrypt their e-mail address database as if they would a credit card database.
Of course, by "trustee" I don't mean the legal definition of the word, but that an organization has been entrusted with something.
If we consult the field of medicine, we can see they've got a weird trustee situation where, if the patient decides to make their maladies public, they're free to do so, whereas the attending doctor--or any doctor, nurse, paramedic, etc.--can't exercise such freedom. Even if he or she saw the patient tell the world about the condition five minutes ago, the physician is still prevented from saying anything unless the patient's OK is given, except in the most pressing circumstances.
When you think about it, this is true for many different organizations. For example, a person can go around telling the world what his Social Security number is, but if the government were to post it on the internet, there'd be repercussions.
It's the same for your bank account number and your banker. And then there's the white pages, where your name is not listed if you don't want it to. Under such a situation, you're able to tell people what your phone number is, but telephone company cannot (or at least, should not).
I'm arguing, in a quite the roundabout way, that it doesn't matter what the individual decides to do with his or her own data. Companies that collect data, and pretty much promise to protect that data, have a duty to stick to what they've promised, regardless of the individuals' actions.
And, if such a conclusion is deemed valid, then protecting e-mail addresses and other "benign" data as if they were sensitive info is necessary. With more and more security experts pointing out that phishing e-mails are impossible to differentiate from the real stuff, I can see at least one reason why a company ought to encrypt their e-mail address database as if they would a credit card database.
Related Articles and Sites:http://www.zdnet.co.uk/news/security/2010/09/03/experts-data-at-risk-on-price-comparison-sites-40089993/