Why encrypt data? Believe it or not, this is one of the most common questions we get in our work. Read on for why encryption saves money and lets you launch your product with confidence.
Most developers need a requirement before they can implement something, even encryption. This requirement is a business need for a paying customer. Unfortunately, security (and encryption in particular) is very behind-the-scenes. It’s often considered a non-functional requirement; an attribute of the system that should be there, but we can’t quite put our fingers on whether and how it changes the functionality of the system. This is probably a mistake; encryption often does change the functionality of a software system, so we can’t ignore it. It may require extra steps to backup a key, approve the keys of other users they’re communicating with, etc.
That said, there are many strong business reasons for why you should encrypt data.
- It saves money during a data breach. Why encrypt? Encrypted data costs less to remediate.
- Compliance rules like HIPAA (healthcare), GDPR (EU privacy rule), and FISMA (US government agencies and contractors) often require encryption.
- Negative news coverage of data leaks can tank an entire business.
- It protects your IP. If your organization has ideas, code, or information worth protecting, it should be encrypted.
- Finally, it protects the users. When user data is leaked, they pay the price in stolen identities, stolen money, and lost privacy. It’s the right thing to do.
When Data is Breached, Encryption Saves Money
For example, here’s a table from the excellent ponemon report on the cost of data breaches. It shows the per-user cost of a data breach across various industries. For instance, a 1,000 user data breach would cost an average of $141,000 to remediate. In healthcare, the figure is more than double that.
“Heavily regulated industries such as healthcare, education and financial organizations have a per capita data breach cost substantially higher than the overall mean of $141. Public sector, research, media and transportation organizations have a per capita cost well under the overall mean value.”
This cost-per-user metric for data breaches illustrates the importance of widespread use of cryptography. The same report presents a helpful chart demonstrating various factors that increase or decrease this cost. Most of the mitigations that matter are procedural: Incident response, training, business continuity management, threat sharing, etc. Developers have limited impact on those aspects, but one area we are accountable for is encryption.
Why encrypt? The most effective technical means for reducing the cost of a data breach is encryption.
“Figure 9 provides a list 20 factors that increase or decrease the per capita cost of data breach. As shown, an incident response team, extensive use of encryption, employee training, BCM involvement, participation in threat sharing, and use of security analytics decreased the per capita cost of data breach by seven or more dollars per compromised record.”
Organizations that handle the data of EU citizens are likely familiar with the EU General Data Privacy Regulation (GDPR), effective in 2018. GDPR has had a massive impact because it has strict enforcement penalties.
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). For security breaches, the fine is half that. However, it would not apply if the data is encrypted when breached. The EU holds an expansive view of what is considered “personal data”, including name, IP address, and email address, which appear in most databases.
US companies often think this doesn’t apply to them, but, the rules follow the data:
“…this applies to US companies that are not located in the EU but do offer goods or services to EU citizens or monitor the behaviors of EU citizens. These companies must be in compliance with GDPR rules on the data privacy of these individuals.”
Even if the majority of a developers users are not EU citizens, encryption is required if you want to process any EU citizen data. US companies can implement “Privacy Shield” to demonstrate to the EU that they are compliant.
Similarly in the US healthcare system, the HIPAA privacy rule requires health information to be encrypted:
“Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.”
Encrypt because it saves can save a fortune in a data breach, encrypt because it’s required for compliance, or encrypt because it’s the right thing to do to protect your users. If you don’t think you need encryption, you might be underestimating your attacker.