Monday, February 23, 2009

Personal and Small Business Data Encryption: article 200902

I am not a lawyer and the below statements are only my understanding of the laws. Therefore nothing below is legal advice but merely the suggestions of what I would do to best protect myself.

In the past much attention has been paid to the confidentiality of data as it flows across the Internet (a.k.a data in transit). Well have you ever thought about data in transit from different perspective say when a guy runs off with your Acer laptop, or Western Digital Passport, or one of your many thumb drives you picked up as swag as the latest convention? Now that is some data in transit that can reach a 10 on the pucker factor; quick!

Alright so I am really talking about data at rest that is only in transit because your goods got swiped when you got up for that second stove top donut at Starbucks. Hey you were only 15 feet away the force field should cast that far; right?

The point is that it is import to protect the confidentiality of data while it is at rest too and there is a great FREE tool that will do just the job; TrueCrypt. I personally use Truecrypt to encrypt my USB keys, my pocket drives, and my laptop. I opt to encrypt the entire drives but the program can be used in a number of ways and it really is quite simple.

For those that are not so technical there is a great beginners tutorial where you simply create an encrypted container and drag your items into it. For a more advanced user you can encrypt your entire hard drive with pre-boot authentication and rescue disk. My personal laptop with a 60 GB hard drive took about 3 hours to encrypt and honestly I do not notice a performance hit; to give you a base line I pretty much surf the web and use the Microsoft Office Suite and watch CBT's.

An important note is when setting passwords, anywhere, not just TrueCrypt; make sure to select strong multi-character/multi-case alpha numeric passwords of at least 8 characters 10 or 12 are nice numbers actually. An example 0u812V@nH@l3n

Now this is good personal security info but you small (and large I suppose) business owners should take heed of this tool, especially if your toting around customer information. Personally Identifiable Information (PII) laws are in affect and my understanding is that here in Texas our Attorney General Greg Abott is serious about the protection of citizens' information.

If you are a small business owner and you must lug customer data around make sure that you document that you encrypted the data. It is my understanding that TrueCrypt does not offer a solution for this. One Idea I would suggest is to give your storage devices serial numbers and document the information and include in the documentation those that you do encrypt.

Why all this trouble? Well going back to the PII laws if you lose customer data that is considered a breach and based on where you do business you must notify those whose data you lost. Now some states, with your proof of encryption, will wave this, but other states, and Texas is one of them, will not. Now, I have had multiple lawyers in round tables that I have sat in tell me that you have the chance to argue your case if you can prove you did encrypt and the encryption was strong.

I really like TrueCrypt but there are other alternatives. You can buy devices with encryption already enabled at the hardware level such as Dell laptops with encypted hard drives (FDE - Full Disk Encryption) and for a thumb drive Iron Key. The bottom line is keep your data safe and if for some reason you carry around customer do yourself and them a huge favor; encrypt it.

No comments:

Post a Comment