Credit Reporting Companies Co-Opt Encryption

Equifax, Experian and TransUnion have revealed plans to collaborate on encryption standards to strengthen their protection of sensitive consumer data, which has increasingly become the favorite target of attackers motivated by profit.

There was praise for the agencies' increased protection plan, which will include coordination on industry encryption standards and 128-bit key encryption. However, there was also concern that the credit reporting companies were leveraging a loophole in breach disclosure laws that means compromises of encrypted databases do not have to be made public.

"The issue we've been considering is whether a security breach, based on identification laws, should exclude data that's encrypted," Electronic Privacy Information Center senior counsel Chris Hoofnagle told TechNewsWorld. "That's a key hole in the law."

Progressive and Necessary

Against the backdrop of several high-profile credit card information breaches -- including last June's fiasco involving nearly four million CitiFinancial customers whose data was in danger following a faulty transfer of of unencrypted information to Experian -- the credit reporting companies called the cooperation an advance for consumer data protection.

The companies said the coordinated approach -- employing Advanced Encryption Standard (AES) and Triple Data Encryption Standard (3DES) algorithms -- would give "data furnishers" the choice of a single, standard encryption for reporting to Equifax, Experian or TransUnion.

"This cooperative effort to simplify, clarify and accelerate the use of industry-level encryption standards is progressive and necessary," said Consumer Data Industry Association President and CEO Stuart Pratt in a statement.

Encrypting Off the Hook

EPIC's Hoofnagle said although making it easier for furnishers to submit sensitive data in encrypted form was a "net good" for consumers, the collaboration may also represent the companies' effort to sidestep breach disclosure laws, such as California's, which had to be reconsidered in light of the loophole.

"On the one hand, the more companies using encryption the better," he said. "On the other hand, employing encryption may result in the public not being told about database breaches, even if they're significant."

Hoofnagle also indicated the cooperation among the credit reporting companies was likely a direct result of recent breaches where encryption would have better safeguarded consumer data.

"We assumed those banks were big and sophisticated enough that encryption would regularly be performed," he said.

Best Practices, Inside Threats

Verisign iDefense senior engineer Ken Dunham told TechNewsWorld the encryption standards that the credit reporting companies referred to were basic "best practices" for information security.

While he praised the effort, Dunham also added all companies must take a holistic view of their policies and procedures, especially concerning internal threats, which represent the biggest risk today.

"Whenever we have collaboration to improve security, and when we're looking at core components such as encryption, it's good," he said. "The danger of any such program is, you have to realize it has to be a comprehensive plan. An insider might steal information and compromise the entire database."