In honor of National Cybersecurity Awareness Month, we’re sharing our top practical tips for small businesses to keep their data secure. Tip #1 is encryption. The National Institute of Standards and Technology (NIST) defines encryption as “the process of transforming plaintext into ciphertext using a cryptographic algorithm and key.” In plain terms, encryption is the process of securing data by using a digital lock and key.
The premise behind encryption is pretty simple. If you want to keep private papers from prying eyes, how would you do it? You could put the papers in a safe. Only someone who knows the combination to the safe can open it and access the papers inside. Encryption does the same thing to data, except using digital methods. Encryption essentially “locks” data by scrambling it so it becomes unintelligible to anyone who doesn’t have the “key” necessary to unscramble it. The idea is that scrambled data is useless to anyone who can’t unscramble it. It doesn’t matter if the encrypted data falls into the hands of a hacker or is released to the public due to a data security breach. Data that looks like gibberish isn’t very useful.
Understanding this principle is the key to minimizing legal liability under data privacy laws. Take Hawaii’s data breach notification law, for example. The breach notification requirements of Hawaii Revised Statutes chapter 487N-2 apply when a “security breach” has occurred. The term “security breach” refers to “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.” Did you catch the reference to “unencrypted” records? If data that is the subject of a breach incident acquisition is encrypted, then a “security breach” did not happen for purposes of HRS 487N-2, and compliance with the breach notification requirements of the statute is unnecessary.
The California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020 is another example. A business can be sued by a consumer whose “nonencrypted or nonredacted personal information” is subject to unauthorized access and is copied, transferred, stolen, or disclosed due to the business’s failure to use reasonable security procedures. Want to reduce exposure to private lawsuits under the CCPA? Encrypt consumer data.
The General Data Protection Regulation (GDPR) isn’t quite as black-and-white in carving out liability for encrypted data, but the law certainly incentivizes encryption. For example, Article 34 of the GDPR provides a safe harbor from the data breach notifications where “the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.” (Emphasis added.) While encryption won’t guarantee exemption from the GDPR’s data breach notification requirements, failure to encrypt data almost certainly would trigger the requirements.
It should be fairly obvious by now that encrypting sensitive data is a highly recommended, if not mandatory, cybersecurity measure. How encryption fits into your cybersecurity program depends on your organization’s IT system, the type of data at issue, operational needs, and cost, among other factors. Encryption can deployed at different stages of the data lifecycle. Encryption can also be paired with other data security practices such as pseudonymization and anonymization. Consult a cybersecurity expert and privacy lawyer to determine how best to use encryption to secure your data and minimize legal liability.