data loss prevention

This tag is associated with 9 posts

The XCS 10 Forecast: Cloudy with 100% Chance of Content Security

Over the past decade, during the journey of server virtualization from primarily dev/test environments to mission-critical deployment on-premise and in the cloud, the applications that have led the way have been the email and web services that power most businesses. And as those business-critical uses keep growing so to do the need to keep them secure. But protection of virtualized and cloud-based deployments is difficult if you use solely traditional security appliances. That changes now with the arrival of WatchGuard XCS 10, the latest operating system for our enterprise content security platform.

In fact, if you’re a user of the XCS hardware and XCSv virtual appliances with a LiveSecurity subscription, you can upgrade now for free.

With new Microsoft Hyper-V® support, IPv6 support, and outbound anti-spam capabilities, XCS 10 streamlines the implementation and management of content security strategies for small, medium and large enterprises.

According to Gartner, nearly two-thirds of x86 architecture workloads have been virtualized on servers. The growth of virtualization in the SMB and mid-sized enterprise has been accompanied with the growth of Hyper-V market share. As email and Web being two of the most commonly virtualized enterprise applications, having the ability to protect them within the same cloud/virtualized environment in which they are deployed gives IT organizations increased flexibility and business continuity. This streamlines management as well as enables the system to scale.  And now they can take advantage of this power on Hyper-V as well as on VMware vSphere.

Unlike software-only solutions, customers do not need to install, maintain, and patch operating systems and other tools in order to deploy rich email and web security with data loss prevention.

WatchGuard XCS 10.0WatchGuard XCS 10 also brings support for the IPv6 standard. One of the side effects of the rise in virtualization and the digitization of the world’s workforces is that we have effectively run out of blocks of “classic” IP addresses. In fact, in some parts of the world, IPv6 is now mandatory. WatchGuard XCS 10 not only supports IPv6, but also enables mixed legacy environments to ensure global connectedness and security.

For complete release details, you can find the press release here, or visit the product page here.

Introducing the future of security intelligence

Being able to assess incoming threats in real time, export reports that inform key decision makers and analyze network usage as it ebbs and flows is a vital tool for fighting the threats, vulnerabilities and attacks that businesses around the world face. In network security, visibility is protection.

Unfortunately, a recent survey by the SANS Institute shows that only 10 percent of respondents felt confident analyzing large data sets for security trends, even though 77 percent are collecting logs and monitoring data from various systems and security devices.

And, this lack of visibility gets worse. In a recent survey conducted by WatchGuard and Slashdot of security professionals, WatchGuard found that:

  • 51 percent of respondents reported having only limited or even zero visibility into which applications are consuming bandwidth.
  • 51 percent of respondents could not identify which geography a detected threat originates from.
  • 40 percent of those surveyed would take multiple hours or even multiple days to compile a compliance report for 48 hours of traffic.
  • 33 percent of respondents would either require more than an hour identify the source of a problem in their network or were unable to identify sources regardless of time frame, posing a huge security risk for their networks.

To date, security professionals have had to rely on log data and perhaps some basic geomaps (or use complex and costly SIEM solutions). At times, those logs can feel like drowning in a sea of data.

But, all of this is about to change.

Today, WatchGuard announces the availability of WatchGuard Dimension – free with the new WatchGuard OS 11.8 and standard on any new XTM appliance.


WatchGuard Dimension

A recent report from Frost & Sullivan analyst Frank Dixon recommends that “reporting tools need to aggregate information across multiple security service to enable a singular view, allowing for ease in management and greater effectiveness of network security problem diagnosis.”

WatchGuard Dimension is a big data-style network security visibility solution that’s now standard on WatchGuard’s flagship XTM Unified Threat Management platform. To learn more about the importance of increased visibility in UTM systems, you can read this white paper that outlines the factors companies need to consider.

Get instant visibility to top-line security issues. Instantly grasp activity by top user, site or app. Home in on risk sources. Now you’re armed with actionable insight, delivered in a unified view. Here are the key features of WatchGuard Dimension:

Executive Dashboard: Provides a high-level view of the various data streams being monitored. With just a click, users can drill all the way down to individual log data, as needed.

WatchGuard Dimension Executive Dashboard

Executive Reporting: With the Executive Reporting function, users can choose from more than 70 comprehensive reports, with both summary and detail options tailored for C-level executives, IT directors, compliance officers and small business owners. Summary report options include specific HIPAA and PCI compliance reports, plus the ability to pre-schedule reports for delivery to key stakeholders in a user’s organizations. These reports can be exported to sharable PDFs.

WatchGuard Dimension executive reporting

Hierarchical TreeMap:WatchGuard Dimension’s TreeMap, called FireWatch, filters traffic in a way that instantly brings your eye to the most critical information on active users and connections, as well as who and what is using the most bandwidth. The TreeMap view also provides options to pivot, drill-down and filter.

WatchGuard Dimension Tree Map shows detailed security intelligence data.

Global ThreatMap: ThreatMap features multiple, interactive configurable views on a world map, making it possible to have real time views of threats per region. That information is critical to helping users identify and fine-tune defenses against those attacks.

WatchGuard Dimension Global Threat Map

Building a product like this is not just something we do lightly. We know there will be some adjustments to the new user interface. The survey data we mentioned earlier highlights the difficulty of utilizing raw data logs to quickly assess a threat or analyze data consumption to make assertive policy decisions.

WatchGuard Dimension is now available with WatchGuard’s 11.8 launch of its XTM security platform solution. But there’s more in the release too. We have added Data Loss Prevention to the platform and updated the Web user interface to make it responsive and compatible with mobile devices.

Ready to try it out? For complete Dimension information and features, please click here.

The benefits of WatchGuard XTM for distributed enterprises

When South Korean retailer Ministop needed to build a network with centralized connectivity and manageability for seamless communication between its 2,000 retail locations and corporate headquarters, there was only one clear option: WatchGuard.

Ministop, which operates a franchise of convenience stores across South Korea, wanted to ensure that any system it put out was a partnership between the stores and headquarters. Ministop chose WatchGuard’s Extensible Threat Management platform for its Unified Threat Management needs based on several critical factors: price, functionality and performance.

Ministop deployed WatchGuard XTM solutions at its operation headquarters, logistics center, and stores, creating a safe, integrated network environment, while improving work and management efficiency.

Ministop deployed WatchGuard XTM solutions at its operation headquarters, logistics center, and stores, creating a safe, integrated network environment, while improving work and management efficiency.

WatchGuard streamlines operations

After implementing the WatchGuard solution, Ministop now has a centralized security policy management system. When new policies are created, Ministop can immediately apply them across the entire network.

This means that potentially harmful external security threats including Active-X, malicious JavaScript codes and video file downloads can be centrally blocked. Additional steps to mitigate the risk of internal data leakage, which prevents the damage from data loss, have been implemented as well. As a result of increased business efficiencies, Ministop Korea managed to reduce the costs associated with network failures by 30%.

The previous procedure required the monitoring center to be notified of any abnormalities before any action could be taken. Now, WatchGuard’s XTM utilizes real-time monitoring of any changes in internal traffic, this allows for immediate confirmation and response without delay.

Ministop has also seen an improvement in overall network performance, which is inline with recent performance testing of WatchGuard’s UTM solutions.

The full case study that details which WatchGuard XTM solutions Ministop implemented as well as the business results it is seeing can be found here.

Protection from the Inside Out

This post is by Roger Klorese, WatchGuard’s Director of Product Management.

When we talk about security and compliance requirements, the discussion is usually about keeping bad stuff out — protecting the network from threats, in the form of intrusions, malware, phishing spam, or others. And that’s the view most organizations take to the problem. But they’re only thinking about half the problem. Protecting the network is not just about keeping the bad stuff out, but also about keeping the good stuff — confidential information and other valuable assets — in.

This is why today we are announcing the upcoming availability of WatchGuard Data Loss Prevention, which will be available as part of our growing Unified Threat Management solution. Right out of the box, it recognizes information from many countries (18 at first, with more to come). It can find the information you need to protect — credit card numbers, home addresses, health information, and lots more — not only in your email and web pages, but in 30 of the most common document types you might be sending (including Microsoft Office files and more). It recognizes confidential documents not because you magically tagged them with a special program, but because you used your normal “Confidential” marker in them.

And if selecting from the more than 200 rules included in the product still sounds like a lot of work, how about a single check box to enable checks for the most popular compliance regimes such as PCI DSS and HIPAA? Are you ready for Data Loss Prevention?

Accidental Data Loss a Top Priority

We recently surveyed more than 2,100 security experts around the world about the regulations that govern their operations, the types of information they need to protect, and whether or not they currently do take any actions to protect it. Here are some of the most interesting things we’ve learned from our customers and from industry analyst sources — and how we’re going to help you follow through on your data loss prevention concerns.

The results of our Data Loss Prevention survey show some surprising results

The results of our Data Loss Prevention survey show some surprising results

The information that most companies told us concerned them the most about losing was financial data, as one might expect. But personally identifiable information (PII) such as national ID numbers followed close behind, as did credit card numbers.

While about a third of companies surveyed each said Payment Card Industry (PCI), Personal Health Information (PHI) and other regulations governed them, more than half said the regulations that affected them were regional data privacy concerns. With the recent high-profile PRISM news, it’s easy to see why this concern would be even more on people’s minds than ever.

About a third of the companies surveyed reported that they did business in more than one country — making their need to protect different types of data under different regulatory regimes even more complex.

Surprisingly, only a little more than half of the companies even had a policy that made it clear to their employees what information could be shared and what needed to be protected. You might think it’s a common-sense issue, but without clear guidance, employee judgment carries too much of the responsibility for decision-making. And only a third of the organizations had any technological solution for data loss protection (DLP).

Protecting from accidental disclosure

Why do so few companies use DLP technology to keep their information safe and their behavior in compliance? More than half say it’s not a high priority for them. (Which is likely to be true until they suffer the costs of a breach, including the regulatory fines that can hit them.) Many others say it’s too expensive or too complicated. They’re right about standalone DLP solutions — but those products, which often cost in the millions of dollars, are meant to block everything from an accidental leak in email to a disgruntled employee walking out the door with a flash drive full of the corporate assets.

For the accidental data loss that can occur over the network via web or email, though, companies should be able to leverage the same sorts of systems that help them keep the bad stuff out — unified threat management (UTM) systems. But until now, these products have come up short. Either they’ve been limited in their ability to recognize global data — for instance, with only one or two built-in rules for national ID detection — or they’re delivered with no rules at all built-in, requiring you to roll your own! How many of you would be driving your car today if you’d had to build it yourself?! Some products even require you to tag the documents you want to protect with a special “watermark” — if you missed a valuable one, or you accidentally pasted the wrong information into an email message, your loss. (Literally.)

Just as WatchGuard offers with all the security services our UTM platform offers to keep the bad stuff out, we use best-of-breed technology to help you keep the good stuff in. And we let you manage it from a single pane of glass, for one UTM appliance or hundreds.

We’ve looked at security from both sides now — from outside in and from inside out — and the choice is clear: the powerful UTM capabilities of WatchGuard XTM. Request your demo of WatchGuard Data Loss Prevention now! The product will be available in September.

Risky Employee Behavior and the Need for Data Loss Prevention

It is rational that not all data loss from within an organization is malicious. In fact, in most cases data loss is the result of common mistakes that employees make. To understand the risks to our confidential data by employees, it is important to understand common risky behavior, as well as common errors that employees make that heighten the risk of data loss and spur the need for data loss prevention.

Sending Confidential Documents to Personal Email Addresses

Many of us are guilty of this. Rather than take home our company‐issued laptops to work on a document that contains sensitive data, we send the document to our personal email account, like Hotmail or Gmail, intending to work on it when we have a moment over the weekend. The issue here is that this behavior poses a high risk to the confidential data being transmitted because these types of applications do not use the same security standards or email encryption that have been implemented throughout company email networks. Although you may have stringent policies on what can be sent via email, if you do not have the same protection in place across web, then this sensitive information may be at risk as it passes through mostly unmonitored waypoints.

Human Error

With all of the automation and new features being introduced in business communications tools and applications today, the likeliness of human error as a threat vector has never been higher. For example, if you consider the Microsoft Outlook AutoComplete Email Address feature whereby the system populates the “To” field in an email by detecting the first few letters input by the sender and populating it with the first name that matches, unless the employee is diligent to ensure that the recipient address is a match, sensitive data can end up in the wrong hands.

Unauthorized Sharing of Corporate Computer Resources

Many employees bring their company‐issued laptops home and share the devices with friends and family members. Occasionally, an employee, in an effort to provide guidance or mentoring to a friend, may even share a document with a personal contact to provide a sample template. Or, on the flip side, an employee may share a confidential document with a friend to get some brainstorming ideas. Consider a third scenario whereby employees do not lock their desktops when leaving their desks, leaving sensitive information exposed should someone access the employee’s computer. Although not malicious in nature, this type of behavior is another example of common root causes of unintentional data loss.

Abuse of System Access and Privileges

System access can be used for any number of malicious tactics by employees, but it also accounts for 46% of data breaches. This involves the malicious use of information assets to which an employee is granted access. Even more alarming is that 51% of data breaches that originate from internal sources are originated from regular employees (see chart at right).

These are just some examples of risky employee behavior that contribute to the likelihood of unauthorized data loss. Now, more than ever, companies have to be diligent at not only creating a strong data loss prevention policy management program, but implementing and monitoring it to identify violations and security gaps. Organizations owe it to themselves and their customers to keep information from falling into the wrong hands. At the same time they need to ensure that legitimate business processes and communications are not hindered.

An effective data loss prevention (DLP) solution can accomplish this by providing the ability for compliance and policy officers to create granular outbound policies by user, group or domain. Different people have varying roles and responsibilities; having a DLP solution that recognizes this and enforces appropriate, user‐ or group‐level policies while not hindering the regular course of business is imperative.

The Data Security Threat to Every Organization

Any time data is set into motion – accessed in an unconventional way, forwarded to a co‐worker, sent to a printer, etc. – data security is put at risk. Managing (and controlling) data‐in‐motion is a requirement for businesses to function effectively and efficiently. At the same time, it is also a growing data security threat that requires proactive data loss prevention solutions.

Data loss (or leakage) occurs in every organization either unintentionally or maliciously. In fact, according to the Ponemon Institute, 3 out of 5 organizations have experienced a data loss or theft event, and approximately 9 out of 10 data loss or theft events go unreported.

In addition, all types of data are vulnerable. Why? More and more employees rely on email for business communications and they use email as a central filing system where they store the bulk of their critical business information. This dramatically increases the probability of leaking sensitive or confidential data. All it takes is for a recipient’s email address to be misspelled or an incorrect key to be pressed by an employee and a message containing confidential information ends up in the wrong hands. All of us can relate.

At some point or another, we have pressed the send button a little too hastily and realized, after the fact, that our email ended up in an unintended recipient’s inbox. In addition, advances in technology make it even easier for this inadvertent data loss to occur. For example, Microsoft Outlook Autocomplete Email Address feature adds a great convenience to our email experience, but if you start typing “susan@bigtaxfirm.com” and the system automatically picks up the first “susan” as being “susan@analystfirm.com” without you noticing that data can end up in the wrong hands and could have a detrimental effect on your business.

Data loss can be attributed to many factors such as computer loss or theft, hacking, malware, network exposure, and more, and many of these reasons for data loss can be avoided. To prevent data loss, an organization needs to have a comprehensive data loss prevention solution in place that not only protects networks from inbound threats to data, but also outbound data loss prevention measures need to be addressed to prevent confidential consumer, personal, and sensitive corporate information from exiting the organization.

So what’s the Cost of a Data Breach?

Data loss becomes a significant problem and risk as organizations are trying to meet and manage regulatory and internal compliance and control requirements, including:

  • Government & Industry Compliance Regulations: e.g. HIPAA, PCI, GLBA, SOX, etc.
  • Internal Policies: C‐level rules, sensitive and confidential information
  • Acceptable Use: HR policies, sexual harassment and legal violations that can occur in messaging
  • Intellectual Property: Trade secrets, sales reports, financial statements, sales or business plans, etc.

Getting caught losing sensitive data is expensive, disruptive, and damaging to carefully nurtured corporate images. There are significant hard costs to non‐compliance in mitigation and remediation to affected individuals such as auditors and board members not to mention regulatory fines and fees to support increased audits. However, often unappreciated are the soft costs to brand equity and competitive advantage which result in lost customers. Enterprises are penalized in both the court of law and the court of public opinion.

If sensitive information is exposed, it’s not only the millions of dollars to fix that breach that costs the company, it can wreak havoc on the company in other ways, such as:

  • Negative PR
  • Brand erosion
  • Loss of consumer confidence
  • Loss of business partner confidence
  • Regulatory fines
  • Stock market loss
  • Legal fees
  • Implementation of internal processes

Whether your data loss is accidental or malicious, you need to gain insight into the magnitude of your data loss problem, identify security gaps, and develop a proactive approach to prevent data loss before it happens. The vast amount of potential avenues along with the wide array of privacy and security requirements has escalated data loss prevention to become a critical issue that can only be addressed by comprehensive data loss prevention tools that are used to accelerate business, protect your organization, and ensure privacy. Organizations can no longer afford to ignore data security. The day when the fall‐out from one data loss incident is sufficient to bankrupt a business may not be far away. Don’t let it be yours!

DLP in Two Minutes

Most people have sent an email and right after clicking the send button have realized, “Uh oh, that was not the intended recipient.” Did you know that is unintentional data loss? Usually, this type of accidental data loss isn’t a big deal, but if valuable information were to get into the wrong hands the result could be catastrophic for your company.

In order to understand Data Loss Prevention, it is important to have a clear understanding of data loss, and while it may seem like a rather simple concept, the simplicity is what makes it so frightening. Any time data is set into motion – accessed in an unconventional way, forwarded to a co-worker, sent to a printer, etc. – its security is put at risk. In fact, 3 out of 5 organizations have experienced a data loss or theft event. So, when you think about how often you send something to a coworker, or access your work via your home computer or mobile device, the likelihood of data loss becomes pretty significant.

More often than not, data loss is unintentional.  Fortunately, WatchGuard strives to ensure that your company’s corporate data is safe and secure through advanced Data Loss Prevention technologies.

Data Loss Prevention is a security term that refers to a solution that identifies, monitors, and protects sensitive data to detect and prevent the unauthorized use and transmission of confidential information.

Data Loss Prevention is:

§ A business tool that requires a comprehensive strategy

§ Technology that inspects sensitive content, and audits and enforces content use policies

Data Loss Prevention can be used for:

§ Regulatory due diligence

§ Intellectual property protection

§ Accidental data loss

§ Data theft

1. The insider who acts with malicious intent: This is typically someone with administrator rights or privileges to access sensitive information or data — aka a trusted employee with normal access rights to confidential data.. What happens if this employee decides to leave and joins a competitor, or simply tries to trade this information for cash?

2. The non-malicious insider who violates policy or leak data without necessarily seeking to do so: For every malicious insider, there are dozens to hundreds of employees who are simply trying to get their work done. In the process, they perform all sorts of unwitting policy violations that put your company’s confidential data at risk.

The WatchGuard 2 minute DLP will show you just how easy it is to implement data loss prevention into your business network.  Two minutes with WatchGuard DLP can mean the difference between “oops, I didn’t mean to send that,” to front-page, headline news.

Putting an End to Cyber-bullying

Facts About Cyber-bullyingThere’s a show on The Style Network called “Too Fat For Fifteen Fighting Back” in which teens that are dealing with morbid obesity have chosen to live healthy lifestyles. What does this have to do with security, you may ask? Well, on a recent episode, many of the counselors and teens talked about how they had been bullied and a bullying expert discussed ways to stand-up to bullies.

However, with the high adoption of technology by the younger generation, bullying has left the playground and entered the cyber world. Today it is common for children to be bullied 24-hours a day, 7 days a week! Cyber-bullying is different to traditional harassment because humiliating rumors, threats and vicious taunts can be viewed by millions and can be devastating to youth and their families. How are children and adults expected to fight now?

How to prevent cyber-bullying is a hot topic, not only with education, but the government. On March 10th the White House held its first Conference on Bullying Prevention to address best ways to prevent cyber-bullying. However, though facts about cyber-bullying and prevention may be a hot topic, many schools still don’t teach kids how to handle cyber-bullying incidents. According to a survey released by the National Cyber Security Alliance and Microsoft, it was revealed that only 26 percent of K-12 teachers taught kids how to handle incidents of cyber-bullying, while only 15 percent spoke to students about online “hate speech.”

There is good news. Today schools can stop cyber-bullying before it happens. With the advancement in technology, network security has become more and more important not just for keeping hackers out, but for also protecting students.

How does WatchGuard stop cyber-bullying in its tracks?

Easily. WatchGuard Extensible Content Security (XCS) features the ability to block or flag cyber-bullying, slander and comments related to depression and suicide through traditional email, webmail (such as Gmail) and Internet sites including Facebook. This means that attempted posts to Facebook can be blocked due to the nature of the words used in the post. The user only sees an error message, and would believe that either Facebook has blocked the post, or Facebook is currently down.

Email Security Solutions Becoming a Hot Topic

Fresh on the heels of the massive email security breach at Epsilon, we’re seeing a renewed interest in email security solutions and email encryption. And that’s a good thing! It’s not just Epsilon that experiences email security breaches, just do a Google search on ‘email security breach news’ and see for yourself. One study – Email still the top source of data loss, by Help Net Security –revealed that more than 35 percent of companies surveyed had investigated a leak of confidential or proprietary information via email over a 12-month period. On average, respondents estimated that as many as one in five outbound email messages contain content that poses a legal, financial, or regulatory risk.

According to the Ponemon Institute’s annual U.S Cost of a Data Breach Study, non-compliance costs are 2.65 times higher for organizations than compliance costs. That means that companies with ongoing investments in compliance-related activities save money compared with organizations that fail to comply with government and industry mandates. In short, it pays to be compliant.

Email encryption is an essential component of regulations that are designed to protect the privacy and reliability of business and personal information.

Email Encryption Laws and Regulations

The following list includes just some of the requirements that are driving encryption adoption in the United States and around the world.

  • HIPAA and HITECH Encryptionis now a primary aspect of HIPAA (Health Insurance Portability and Accountability Act) since the passing of HITECH (Health Information Technology for Economic and Clinical Health Act) regulations in 2009. HITECH requires healthcare providers to notify individuals when their protected health information (PHI) is breached.For example, if a hacker hijacks unencrypted PHI in transit from a physician’s office, the physician practice would have to inform the patients and the Department of Health and Human Services of the breach. However, if the electronic PHI is transmitted in encrypted form, notification is not necessary even if there is a security breach. Email encryption grants safe harbor because it can be assumed that the transmitted data is unreadable by unauthorized individuals.
  • PCI DSS (Payment Card Industry Data Security Standards) is very clear. Requirement 4 mandates the encrypted transmission of cardholder data across open, public networks.
  • EU Data Protection Directive (also known as Directive 95/46/EC) was designed to protect the privacy of all personal data collected for or about citizens of the EU. According to the Information Law Group’s Code or Clear? Encryption Requirements, encryption is becoming a mandatory checklist item to establish “reasonable” security for sensitive categories of data for the EU, and “… it would be difficult to defend an organization’s security measures for sensitive data as ‘reasonable’ without reference to such [email encryption] standards or industry practices.”
  • SOX (Sarbanes-Oxley Act) governs the integrity of financial operations of publicly traded companies with the primary goal of protecting “investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws.” Although email encryption is not explicitly mandated as part of the internal controls, SOX implies the need for encryption to protect the integrity and confidentiality of financial information.
  • GLBA (Gramm-Leach-Bliley Act) requires that all financial institutions maintain safeguards to protect customer information. Although GLBA does not expressly require email encryption, it does require that financial institutions implement the necessary technological controls to protect the privacy and security of customer financial information. The Federal Financial Institutions Examination Council (FFIEC) recommends that institutions employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. If a financial institution does not deploy encryption to the degree expected by the FFIEC, then the institution must demonstrate that it considered the use of encryption and justify why it chose not to deploy it. Financial institutions, therefore, must carefully evaluate the need to encrypt emails to protect against unauthorized access to sensitive information.
  • California Security Breach Notification Act (SB 1386) requires a business, regardless of its location, that owns or licenses personal information about a California resident to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized disclosure. If protected information is acquired by an unauthorized person, then the business must promptly give notice, but only if the data was not properly encrypted.
  • Nevada Statute, passed in 2008, made Nevada the first among a growing number of states to specifically require email encryption for those that contains personal customer information. The statute states that, “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

The consequences of violating these and other government and industry encryption requirements can include fines (for example, the HITECH Act allows for penalties of up to $1.5 million), incarceration, public embarrassment, loss of business privileges and customer/client/ patient/stakeholder trust. Once again, and in short, it pays to be compliant.