For more than a year now, I’ve been telling audiences to expect laws to be passed requiring companies to divulge breaches of network security. California already has such a law. Now Congress is debating a similar federal law that requires companies to let consumers know when personal data that could be used in identity theft is compromised by hackers.
On the whole, it’s a good thing, I think. It’ll certainly make companies think harder about network security and get serious about protecting their data–especially data that could harm innocent people. My only fear is that predatory class-action lawyers will smell money and some company that has done everything humanly possible to secure their data but suffers a minor breach of security anyway will pay dearly. It will happen; write it down.
I spend a fair amount of my time these days analyzing the security of ASP.NET Web servers and the back-end data sources that they rely upon. One of the things that astonishes me is how often companies store sensitive data in databases without encrypting it. My advice is to assume that your entire database will be stolen, and to assess the damage that could result. Then encrypt the data that you wouldn’t want a hacker to see.
Be sure to store the decryption key in a place that’s hard to get to, too. A lot of Microsoft groups like to store decryption keys in ACLed registry keys, which are outside the “Web space“ of IIS. Many go the extra mile and use the Windows Data Protection API (DPAPI) to encrypt their decryption keys. There’s no such thing as 100% secure, but by erecting enough defenses, you can sure make life hard for wannabe data thiefs.