Why Encrypt?
Here’s a table from the excellent Ponemon Institute report on the cost of data breaches. It shows the per-user cost of a data breach across various industries. For instance, a 1,000 user data breach would cost an average of $141,000 to remediate. In healthcare, the figure is more than double that. The most effective technical means for reducing the cost of a data breach is encryption.
Any organization that handles the data of EU citizens is likely familiar with the EU General Data Privacy Regulation (GDPR) that will come into effect in 2018. GDPR will have a massive impact because it has very strict enforcement penalties.
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). For security breaches, the fine is half of that, but would not apply if the data is encrypted when it’s breached. The EU also holds an expansive view of what is considered “personal data”, including name, IP address, and email address, which appear in most user databases.
US companies often think this doesn’t apply to them, but, the rules follow the data:
“...this applies to US companies that are not located in the EU but do offer goods or services to EU citizens or monitor the behaviors of EU citizens. These companies must be in compliance with GDPR rules on the data privacy of these individuals.”
From a development standpoint, even if the vast majority of your users are not EU citizens, encryption is still required if you want to continue processing any EU citizen data. US companies can implement “Privacy Shield” to demonstrate to the EU that they are compliant.
Similarly in the US healthcare system, the HIPAA privacy rule requires health information to be encrypted:
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”