One of the least talked about aspects of computer data theft is an old crime, updated to take advantage of new technologies–—extortion.  An increasing percentage of hacking is done purely for economic gain, and more and more takes the form of demands for ransom of your data.  

Imagine getting an anonymous letter threatening to release millions of sensitive, private personal medical records stolen from your computer system.  Oh, and, by the way, don't bother looking for those records; the thief erased them and has the only backup copy.  The cost to get your records back?  $10 million.  That just happened last month to officials at the Commonwealth of Virginia Department of Health Professions (DHP).

The Virginia DHP operates a prescription-monitoring program, a massive database of prescriptions to facilitate the investigation of potential drug abuse.  More than 8 million patient records and the records of more than 35 million individual prescriptions were stolen on April 30th.  According to the demand letter, which was originally published on Wikileaks, if the company didn't pay $10 million within 7 days, the hacker would release the records to the public.

Although larger in scope than many, this is not a rare occurrence.  Thousands of data-related extortions occur each year, but remain unreported.  If your organization has any records stored in its computers that you or the public would not want released, you are a potential victim.  Here are three more recent examples that did make the news:

On March 31, 2006, Kevin Michael Stewart allegedly broke in to the offices of Medical Excess LLC, an AIG member company in Indianapolis, Indiana, and stole a computer server holding sensitive medical information about 900,000 policyholders.  According to FBI reports, Stewart demanded a ransom of $208,000 be paid to him or he would release the medical records to the Internet.

In November of 2008, Express Scripts, a large national Pharmacy Benefit Manager (PBM) announced that it had received an anonymous letter demanding an undisclosed amount of money or the sender would release private medical data to the public.  To establish credibility, the unknown sender included private details of 75 patients.

In September of 2008, a California man was arrested and charged in connection with a plot to extort money from Maserati North America.  Bruce Mengler is alleged to have stolen information from Maserati's computers about thousands of Maserati customers and prospects in the San Diego area and demanded money in exchange for silence about the security breach.  If Maserati did not pay, according to reports, he threatened to blast the data on the Internet or take it to Maserati's competitors.

Authorities recommend that if your data is stolen you report it immediately, even if current laws don't require you to do so.  It is a violation of federal law (18 CFR section 1030) to demand money in exchange for the return of stolen data, and the FBI and other federal and state law enforcement authorities will investigate vigorously.  Most law enforcement officials urge you not to pay, simply because once a thief has the data he can copy it and demand money again and again.  

Let's face it.  It is impossible to guarantee the safety of data-at-rest in your computers, either from hackers or from a disgruntled employee who feels you didn't give him a big enough raise.  But there is something quite easy you can do to mitigate the costs to you if there is a break-in: encrypt your data.  If someone does manage to steal the data in your databases, they won't be able to read any of it—it will be useless to them.

In addition, many states exempt encrypted data from their breach notification laws, so even if you are hacked, if your data was encrypted, you may not need to spend the potentially massive amounts of money required to comply.