Six months ago, I also posed a question to Hu Yoshida at HDS (See Waiting for my Marriott Letter) about his comfort level with encrypted versus unencrypted state of lost data. To which, he responded:
My vote would be for encrypted and not lost. But since it is lost, it would make me feel more comfortable if the data were encrypted. (See More Comfortable, encrypted and lost?)I am sure most IT people have some awareness of technical issues with encrypting data-at-rest like key management and encrypt/decrypt performance, etc. I am not a cryptography expert and my concern is very simple and non-technical:
Can anyone assure me that current encryption level used for data-at-rest will not be cracked in the future?I prefer immediate feedback instead of delayed gratification so I rather see the impact of my personal data loss immediately instead of five or seven years down the road. At least if my data is compromised tomorrow and proper disclosures were made, I know where and how my data was lost, who is responsible and what corrective actions needed to prevent further misuse.
But if the same data is compromised five years later, I have no information on the source of data that was compromised, recourse and leverage with organizations responsible for it. Most organizations may not even accept legal responsibility claiming that they offered credit monitoring for limited period in return for individual waiving any future claims.
With encryption of data-at-rest, are we trading peace of mind today for getting screwed tomorrow?With the current disclosure practices and lack of fraud detection methods, I feel that encryption is going to create an underground "futures" market for trading lost data.