In May of 2007 Scott & Scott, LLP commissioned the Ponemon Institute to conduct a national survey titled the Business Impact of Data Breach. Out of the 720 companies that responded, 85% reported that they had experienced a data breach and 81% indicated that they suffered a privacy notice triggering event. I was surprised by the high percentage of companies that reported a data breach and alarmed by the number of companies that had notice triggering events. Implementing programs that minimize notice triggering events is easier to accomplish than many companies may realize.
Contrary to popular believe, the single largest cause of data breaches is missing portable devices such as laptops representing 42% in our survey, while criminal acts such as hacking represented only 6%. Accordingly, I have been advising my clients to implement encryption technologies on laptops and PDA’s for several years.
Most of the 38 states that currently have data privacy breach notification statutes specifically define the personal information that is subject to the statute by using the term “unencrypted” in the statute. The statutes that do not specifically exempt encrypted data in the definition of personal information have an exception for incidence where there is no reasonable probability of harm. Accordingly, if you have a laptop or PDA that is goes missing and that laptop is equipped with encryption technology you will likely have no data privacy notice obligation under state laws. Amazingly, even after suffering a data breach 46% of the companies in our survey failed to implement encryption technology.
While implementing encryption in our firm, I discovered that encryption can be expensive and disruptive to business operations. In our firm, we have experienced costs exceeding $100.00 for licensing, labor costs related to installation, and performance and reliability impacts on laptops post installation. For these reasons, I was intrigued to learn that that the major hardware manufacturers Dell, Lenovo, and HP were working with the hard-drive manufacturers such as Seagate to develop hard-drives equipped with encryption technology “out of the box.” I am now advising my clients to change their standard laptop build to include these hard-drives. The quote for my new laptop from Dell includes the following description:
| Hard Drive: | 80GB Hard Drive 8MM, 5400RPM Latitude D430 (341-5730) |
As time goes by, these drives will get faster and the gap between non-encrypted drive performance and encrypted drive performance will either go down or become less important. In the meantime, if you are concerned about data privacy, purchasing your new laptops with encrypted hard drives is one of the smartest things you can do. For additional information a copy of the Business Impact of Data Breach is available here:
http://www.scottandscottllp.com/resources/data_breach.pdf
A copy of Scott & Scott’s State Data Breach Notification chart is available here:
http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf