PGP

Webcast Summary

February 2007


The Role of Encryption in
Data Protection

















Version 1.0

PGP Webcast Summary The Role of Encryption in Data Protection



2
Table of Contents

EXECUTIVE SUMMARY......................................................................................................3
INTRODUCTION...................................................................................................................4
WHERES THE THREAT? ...................................................................................................4
UNAUTHORIZED ACCESS................................................................................................................. 4
THE EXTENDED OFFICE .................................................................................................................. 5
MOBILE WORKFORCE ..................................................................................................................... 5
INSIDERS....................................................................................................................................... 5
OUTSIDERS ................................................................................................................................... 5
WHATS DRIVING DATA PROTECTION?..........................................................................6
DUE CARE..................................................................................................................................... 6
REPUTATIONAL RISK....................................................................................................................... 6
REGULATORY RISK......................................................................................................................... 7
INDUSTRY STANDARDS ................................................................................................................... 8
WHATS THE COST OF A DATA SECURITY BREACH?..................................................8
INDUSTRY IMPACT .......................................................................................................................... 8
CUSTOMER IMPACT ........................................................................................................................ 9
WHATS THE ROLE OF ENCRYPTION IN PROTECTING DATA? ...................................9
WHAT NEEDS TO BE PROTECTED?.................................................................................................... 9
WHAT CONSTITUTES AN EFFECTIVE SYSTEM? .................................................................................. 10
WHERE SHOULD COMPANIES START? ....................................................................... 11










2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



3
Executive Summary
This PGP Webcast Summary is based on a presentation given in 2006 to Honeycomb Connect
Banking Information Technology (B.I.T.) executive members by Dave Cullinane, Chief Information
Security Officer (CISO) for eBay Marketplaces. Mr. Cullinane is the former CISO for Washington
Mutual Inc. and previous International President of the Information Systems Security Association.
The primary goals of the webcast were to address the increasing vulnerability of sensitive
information in the workplace as well as the pressing need for data protection and specifically, for
encryption.
This summary identifies the multiple locations where information is most vulnerable, given the
current nature of the enterprise infrastructure and systems. It also addresses the increasingly
sophisticated attacks on information, the impact of data breaches on both the industry and
consumers, and the measures organizations can take to prevent such attacks.
In addition to discussing threats, the summary explores the reasons for the recent interest in data
protection, including potential risks, relevant legislation, and emerging standards. It also presents an
overview of encryptions role in protecting data as well as the range of individual to enterprise
encryption solutions currently available plus new emerging technologies.
Finally, the summary outlines four key criteria to help organizations select a suitable encryption
vendor.

2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



4
Introduction
This PGP Webcast Summary is based on a presentation given in 2006 to Honeycomb Connect
Banking Information Technology (B.I.T.) executive members by Dave Cullinane, the Chief
Information Security Officer (CISO) for eBay Marketplaces. Mr. Cullinane is the former CISO for
Washington Mutual Inc. and previous International President of the Information Systems Security
Association (ISSA), a not-for-profit international organization of information security professionals
and practitioners.
The primary goals of this presentation were to address the increasing vulnerability of sensitive
information in the workplace as well as the pressing need for data protection and specifically, for
encryption.

Wheres the threat?
Other than everyone who works for us and everyone who
doesnt work for us, we have no one to fear.
Dave Cullinane
In todays connected, electronic world, sensitive information is everywhere. Given the current
distributed nature of the enterprise infrastructure and systems, there are now multiple locations
where information is vulnerable. Even more important, data formerly held safely inside an
organization is beginning to migrate to places outside the traditional office, thanks to its digital nature
as well as to new computing form factors and new business practices such as a remote, distributed
workforce.
Cullinane calls this trend the de-perimeterization of security, where the line between an
organization and its partners, vendors, and customers has blurred because of pervasive data
sharing. Protecting confidential information in this large and increasingly complex environment is an
enormous challenge.
Unauthorized Access
Sensitive information is no longer safe just because it is inside the organization. Numerous internal
controls can be bypassed by malicious insiders, for example, increasing the risk of data breaches.
Database and system administrators also pose potential threats
1
. These super users often have
unlimited access to the information in company databases and can even restructure the database or
move information around at will. Despite these vulnerabilities, however, many organizations have
done little to thoroughly protect sensitive data.
Simply defining who has access to which system and with which privileges has become a difficult
and complex issue. In addition, the proliferation of stored data and customer information represents
an obvious security risk. For example, many organizations now store large volumes of data in a
shared environment such as a storage area network (SAN), a practice that raises additional

1
Gaudin, Sharon, Ex-UBS Sys Admin Found Guilty, Prosecutors To Seek Maximum Sentence, InformationWeek, J uly 19,
2006:
http://www.informationweek.com/news/showArticle.jhtml;jsessionid=Q225LEL4ILC1CQSNDLPSKHSCJ UNN2J VN?articleID=1
90700064
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



5
concerns. As Cullinane points out, How do you make sure that your information is protected, that no
one in any of those organizations can see it, and that no one in the companies from whom youre
leasing storage space can see it either?
Using leased lines or buying network capacity from third-party vendors also can make a companys
data more vulnerable to unauthorized access. You have to decide what level of trust you can
establish with these people and how much of making sure information is protected from prying eyes
is your responsibility, says Cullinane.
The Extended Office
The term workplace has taken on a broader meaning as todays employees increasingly transform
their homes into extensions of their offices. Unfortunately, many people unknowingly send sensitive
information by insecure means that can easily be intercepted. According to Cullinane, Its usually
being done [working from home] with the best of intentions by the best of employees who are simply
looking for effective ways to get work done. If that practice results in a data breach, however, it can
be difficult to assure regulatory agencies the company is doing an effective job of protecting
customer information on machines outside the corporate network that may also be used by an
employees family or friends.
Mobile Workforce
When not in the office or at home, more employees are beginning to use portable devices to
accomplish work on the road. The flexibility of mobile devices and storage has created a
smorgasbord of susceptibility in the world of information security. With perpetually changing software
and improved technology, protecting information on these devices has become increasingly difficult.
Whether employees travel frequently or simply use laptop computers. PDAs, and USB flash memory
because of their easy portability, the growing use of mobile devices will continue to create a dilemma
from a security standpoint.
Insiders
The temptation for insiders to steal customer data or corporate intellectual property is significant.
According to Deloittes 2006 Global Security Survey, nearly half of the financial institutions
surveyed had experienced an internal security breach. The ease with which electronic data can be
duplicated contributes to the potential threat. Employees can simply print lucrative information or
copy it to a USB thumb drive and carry it out of the office, for example. How are you going to tell
and how are you going to control that type of activity? Cullinane wonders.
If customer information is compromised, the company is responsible for the consequences to both
its reputation and its bottom line. Publicity about data breaches has not only resulted in increased
customer turnover, but also financial hardships for affected companies due to regulatory
requirements to notify individuals whose data has been compromised. (See Whats the cost of a
security breach? on page 8.)
Outsiders
There has been a recent increase in the sophistication of attacks on information. Rather than
focusing primarily on financial services, as in the past, such attacks now threaten any lucrative
target. Although organizations can take steps to prevent these attacks, no company is immune to
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



6
the possibility of a data breach. External threats are expanding to any organization that has
something of value to steal, Cullinane points out. And if you do, you should be preparing because
they are definitely going to come after you.
One type of attack currently being used is called phishing. Phishers use electronic
communications that look as if they came from legitimate banks or other companies to persuade
people to divulge sensitive information, including passwords and credit card numbers. These
hackers look for anything valuable they can profit from, and once they find an exploitable weakness,
they attack ferociously, says Cullinane. They are sophisticated people who understand how to
manipulate systems, and the threat is becoming very significant.

Whats driving data protection?
There are many factors contributing to the increased interest in data protection. Although the drivers
vary, together they help illustrate the importance of implementing a proactive security strategy that
features a comprehensive encryption solution.
Due Care
All companies are responsible for protecting their customers private information, even when the job
of managing data is delegated to a third party. To accomplish this goal properly, companies must
follow what is known as due care. Due care is a legal concept that refers to the care a reasonable
and prudent person would exercise in protecting company assets. Thats a fairly easy statement to
make, Cullinane says, but the reality is a moving target. He advises organizations to look at what
companies in the same or related industries are doing and then taking similar precautions. You
have to establish whats due care for your industry or particular organization, and make sure youve
got the appropriate measures in place to meet that standard, he points out.
Reputational Risk
In todays marketplace, brand image, reputation, and consumer trust are significant factors in a
companys success, particularly in highly visible industries such as security. In February 2006, for
example, McAfee, a Silicon Valley security company, severely damaged its reputation when an
external auditor left an unencrypted CD containing information on more than 9,000 McAfee
employees on an airplane. This incident not only compromised personal data such as the
employees Social Security numbers, but also could threaten McAfees leadership position in the
industry.
The incident highlighted the fact that even security companies may not safeguard sensitive data and
emphasized that encryption is the best option to ensure information security. In fact, according to
industry analyst Gartner, protecting such information with encryption is a magnitude less expensive
than paying for cleanup after a data breach or massive records loss
2
.

2
Litan, Avivah. Cleaning Up Data Breach Costs 15x More Than Encryption, TechWeb, June 6, 2006:
http://www.techweb.com/wire/security/188702019
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



7
Regulatory Risk
Legislation is becoming incredibly pervasive, Cullinane points out. Regulatory noncompliance can
also result in stiff financial consequences. A number of organizations recently had breaches, and
the FTC levied some extremely significant penalties, he adds. These penalties are both expensive
and time-consuming, often restricting the daily business practices of the affected companies.
Following are some of the key regulations with which many organizations must comply.
CA SB 1386. The first U.S. state law to directly address corporate responsibility for personal data
loss, California Senate Bill (CA SB) 1386, passed in J uly 2003, made it mandatory for companies to
notify any resident if his/her information was breached as a result of a computer security incident. If
the compromised information was encrypted, however, no notification is required.
Since then, 32 states have introduced similar regulations
3
. According to Cullinane, some of these
laws vary significantly in their requirements: The New York State law requires that you notify
customers within 7 days of a breach. Id be willing to bet that most organizations would find it very
difficult to complete any kind of decent investigation to determine what actually happened and who
they might need to notify within 7 days, never mind actually doing the notifications.
Gramm-Leach-Bliley. Similarly, the Gramm-Leach-Bliley Act (GLBA), passed in March 2005,
includes guidelines for the protection of customer information. The GLBA requires financial
institutions to consider whether an encryption solution is appropriate to protect customer information;
if it is, the institutions must implement one. It also mandates that if information in any form is
compromised, the company responsible must inform its customers if there is a reasonable
possibility it will be misused.
Unlike CA SB 1386, the GLBA requires customer notification even if information was encrypted
unless the organization can prove it was using an effective encryption methodology that would
have prevented any reasonable possibility of misuse. As Cullinane points out, however, that
situation has created a corollary problem: Most of the banks are doing customer notifications for the
merchants that are actually experiencing the breaches. And determining whether a specific loss
constitutes a reasonable possibility of misuse has raised a lot of issues that even the regulators
hadnt anticipated in terms of size and scope. Its becoming quite onerous.
Proposed U.S. Federal Legislation. Since early 2005, lawmakers have introduced more than 10
bills dealing with data breach notification in the hope of creating a new U.S. federal law to serve as a
regulatory umbrella. A new federal law would establish an overarching set of requirements that
supersede those mandated by individual state laws. As Cullinane notes, Lets say a bank has a
GLBA program in place and is doing all the things the GLBA requires for compliance. Obviously, it
would be advantageous not to have to comply with 28 or 50 different state laws as well. The
proposed data breach notification bills differ in several ways, including varying requirements about
when a breached company should notify customers. In May 2006, two of these bills had passed
through Senate committees and were in Senate review, and two other bills were awaiting House
review. A new federal law was not passed in calendar 2006, however.
HIPAA. Similar to the GLBA, which regulates financial services organizations on a broad level, the
U.S. Health Care Information Portability and Accountability Act (HIPAA) focuses on the health care
industry. The act states that if determined to be reasonable and appropriate, security measures such
as encryption must be implemented for all Electronic Protected Health Information (EPHI) both in

3
http://www.ncsl.org/programs/lis/cip/priv/breach06.htm
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



8
transit and in storage. Noncompliance with HIPAA is punishable by fines, but is not as strictly
enforced as GLBA noncompliance.
EU Data Pri vacy Directi ve. In Europe, the EU Data Privacy Directive, created in 1998, protects the
private information of individuals. It requires all 15 European member states to enact legislation
requiring organizations to implement personal information privacy policies. The directive also
requires member states to protect the freedom and rights of individuals, essentially making privacy
an elementary human right.
Industry Standards
The Payment Card Industry (PCI) Data Security Standard (DSS) is the most dominant and wide-
reaching industry data security standards today. It establishes requirements for the protection of
customer credit card information for merchants, processors, banks, and any other organization that
retains or processes such information. The PCI DSS also mandates that credit card information be
encrypted, which is a driving force behind the need for such solutions.

Whats the cost of a data security breach?
Industry Impact
The cost of a data breach can literally cripple a company. For example, the effects of the February
2005 ChoicePoint
4
data breach were significant. The company actually lost 45 percent of its net
income as a result of the consequences of that breach, Cullinane notes. He says that ChoicePoint
made the basic mistake of not looking for potential vulnerabilities in its system and making sure
those risks had been appropriately addressed: They had some good controls in place and they
were doing most of the right things. The one thing they didnt do is go back to see how someone
could beat the system, and unfortunately, thats what happened to them.
In its second annual research study, released in October 2006, The Ponemon Instituteestimated
the approximate dollar amount of a breach.
5
Based on 31 companies that lost customer information
in actual data breaches and were required to alert their customers, the cost of a notification ranged
from less than $1 million to more than $22 million, or an average of $182 per compromised record, a
31 percent increase over 2005. The Ponemon Institute broke down these costs into three
subcategories: direct incremental costs, indirect productivity costs, and lost customer opportunity
costs.
Direct incremental costs, or out-of-pocket spending for a company, averaged $54 per lost
record, an 8 percent increase over 2005.
Indirect productivity costs, which include costs for lost employee or contractor time and
productivity diverted from other tasks, averaged $30 per record, an increase of 100 percent
over 2005.

4
In February 2005, ChoicePoint, a corporation that collects and compiles information that includes personal and financial
information on millions of consumers, disclosed that it been the victim of a security breach wherein it had sold personal
information of almost 145,000 people to a criminal enterprise. http://www.ncsl.org/programs/lis/cip/priv/breach.htm
5
The Ponemon Institute, 2006 Annual Study: Cost of a Data Breach, October 2006:
http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



9
Lost customer opportunity costs, which includes existing customer turnover and
increased difficulty in recruiting new customers, averaged $98 per lost record, an increase
of 31 percent over 2005. Customer turnover averaged 2 percent per affected organization
and ranged as high as 7 percent.
Customer impact
Customer notifications are becoming a major issue for companies that experience a data breach. If
you do have a breach and you need to notify customers, its extremely likely that youre going to
have a significant loss of customers as a result of that notification, says Cullinane.
In a related study by The Ponemon Institute
6
, more than 50,000 customers who had received such
notifications were asked about their relationship with the notifying companies. The study found that
20 percent of customers terminated their accounts immediately after notification and another 40
percent considered terminating their relationship with the company, resulting in the loss or potential
loss of nearly two-thirds of customers who were notified.

Whats the role of encryption in protecting data?
Encryption is almost certainly the best single solution and probably
the ultimate line of defense for protection of sensitive information.
Dave Cullinane
With so many potential threats to sensitive information from both inside and outside companies
today, encryption is the only solution that can protect the data on laptops, in email and other
communications as well as in databases, storage, and other locations or devices. With encryption,
data is protected even if infrastructure protection, such as firewalls or network access control
systems, are compromised.
What needs to be protected?
Whole disk encryption is gaining popularity as an information security solution because laptops are
more common, more portable, and more vulnerable to theft than ever before. As Cullinane points
out, Any company that allows customer or sensitive information to be stored on laptops should have
implemented a laptop encryption solution. And if youre not, you probably should be.
Along with laptop encryption, database encryption is an area of equal importance. A customer
name plus anything else that would be considered non-public personal information needs to be
protected and may very soon be a legal requirement, Cullinane says. We need to protect that type
of information wherever its at rest instead of just where its traveling around the network.
Email is another fundamental encryption solution for companies today. Considerable amounts of
customer information is sent, stored, and replicated through email every day, making it susceptible
to attacks if not properly protected. According to Cullinane, Most of the major banks are doing
analyses as a result of the GLBA to look at where their information is moving, where customer

6
The Ponemon Institute, The National Survey on Data Security Breach Notification , August 2005:
http://www.pgp.com/downloads/research_reports/ponemon_reg_direct.html
2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



10
information is held, and how its being handled. And almost all of them, including those that have
policies specifically prohibiting it, are finding that significant portions of customer information are
being sent through email.
One of the main reasons for this practice is the business need for electronic communications.
Customers send email to organizations because they like to use it, and often the only way to
answer them effectively and still provide customer satisfaction is to respond back via email with
information that shouldnt be sent in clear text across an untrusted network like the Internet,
Cullinane says. So the customers use of technology is actually starting to drive requirements that
hadnt existed before.
What constitutes an effective system?
Although many companies feel that they are secure once they have an encryption program in place,
this is far from the truth. According to Cullinane, Using encryption effectively is not simple. The most
difficult thing is the design and management of the system, and key management is a major
component of any effective encryption solution. Ive seen a number of encryption solutions that
stored the key right next to the data it was encrypting, so if I broke into the server, it would be easy
to find the key and then decrypt the data. Thats not what youd call an effective encryption solution.
Cullinane says that an effective solution will enable organizations to securely create, distribute,
store, maintain, update, and destroy keys so they do not need to build those capabilities themselves.
Although implementing a company-wide encryption solution may seem a bit daunting, there are new
options available to help that simplify critical tasks such as key management. In addition, some
solutions are now non-disruptive and no longer require the end user to make manual decisions
about when and how to use encryption.
Design an encryption strategy. Cullinane advises organizations to make sure they have a plan:
Define what your requirements are, where your sensitive information is, and what you need to use
encryption for. Then look at where youll get the most return for your dollar by using encryption today
as well as where youll need to go next year and the year after that. In addition, Cullinane says
organizations should create a detailed implementation plan that lists who is responsible for what and
when to ensure the project is funded.
Enterprise encryption solutions should become the standard for most companies. Instead of buying
one solution for database encryption, another for laptops, and another for email, companies are
choosing enterprise solutions that address all their needs while simplifying management. This
approach eliminates the compatibility issues that often make ubiquitous protection complicated.
Automated content compliance systems make the newest encryption solutions even more
streamlined. These systems detect information that needs to be protected, such as an email
containing credit card or Social Security numbers, and automatically encrypt the message without
requiring changes in employee behavior or business processes.

2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



11
Where should companies start?
Selecting an encryption vendor is the most important decision a company can make when
implementing an encryption strategy. No matter which solution it chooses, however, sensitive
information could still be vulnerable if the vendors product is unreliable or ineffective. Following are
the most important characteristics to look for when choosing an encryption vendor:
Proven and vetted technology If an encryption product has not been tested by
cryptologists and used by a variety of organizations and individuals for more than 10 years,
there is no track record to show that it is completely secure.
Products based on industry standards. Only encryption products that are compatible
with current standards will interoperate with most popular systems, making it easier to work
with customers, partners, and vendors that use solutions based on industry-standard
algorithms and communication protocols.
Products that are non-disruptive. An encryption product should integrate with the
companys existing email system and network infrastructure to ensure the widest
compatibility among deployments. Encryption should be automated and enforced by policy.
Financial viability. Avoid selecting a vendor whose financial situation is questionable: an
unsupported solution is an ineffective one.
When implementing an encryption strategy, organizations should keep in mind that data security is a
process, not a product. Choosing the right encryption solution, however, will protect customer
information and other sensitive data such as intellectual property while guarding the company
against financial, reputational, and brand damage.

2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION
PGP Webcast Summary The Role of Encryption in Data Protection



12
PGP Corporation
3460 West Bayshore Road
Palo Alto, CA 94303 USA
Tel: +1 650 319 9000
Fax: +1 650 319 9001
Sales: +1 877 228 9747
Support: support.pgp.com
Website: www.pgp.com

2007 PGP Corporation
All rights reserved. No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form by any
means without the prior written approval of PGP Corporation.
The information described in this document may be protected by one or more U.S. patents, foreign patents, or pending
applications.
PGP and the PGP logo are registered trademarks of PGP Corporation. Product and brand names used in the document may be
trademarks or registered trademarks of their respective owners. Any such trademarks or registered trademarks are the sole
property of their respective owners.
The information in this document is provided as iswithout warranty of any kind, either express or implied, including, but not
limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors.
All strategic and product statements in this document are subject to change at PGP Corporation's sole discretion, including the
right to alter or cancel features, functionality, or release dates.
Changes to this document may be made at any time without notice.




2007 PGP Corporation. All Rights Reserved. CULWEBDCST070205
APPROVED FOR EXTERNAL DISTRIBUTION