Where Does Encryption Fit in Privacy Regulations?

Organizations today view data as an asset. In fact, most companies pride themselves on the data they have. Yet at the same time, global privacy regulations have put strict rules on how organizations store and keep secure customers’ data.

According to a recent study by IDC, by 2023, people will create nearly 102.6 zettabytes of data every year. Data volumes like this may sound good, but leave consumers open to a broader array of cybercrimes and make organizations vulnerable as well. Organizations are stepping up their data encryption practices in an effort to make it safer for the data they have stored and to reduce the risk of data sprawl.

Data Encryption Under the GDPR

The General Data Protection Regulation (GDPR) is the largest data privacy regulation in the world and is currently viewed as a base standard. The GDPR recognizes encryption as an important part of ensuring data privacy, which is why under article 32, “security of processing”  the GDPR states:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

1. The pseudonymization and encryption of personal data;
2. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Under recital 83 the GDPR talks about protecting the consumers’ data. The recital states:

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

All in all, the GDPR requires organizations to incorporate data encryption or a substitute that will protect consumer data and mitigate the risks associated with data transfer such as data sprawl or cyberattacks. That being said, there are no specific fines associated with not applying data encryption, but it is wise to encrypt data.

Related Article: An Introduction to GDPR

Encryption Laws Under the CCPA

The California Consumer Privacy Act (CCPA) makes no specific mention of data encryption, although companies are encouraged to incorporate some sort of data security on stored data. There is, therefore, no explicit mention of fines associated with data encryption, but there are fines associated with data breaches ($750 per consumer). However, these fines can be waived if encryption is in place because the data breached is encrypted and unintelligible without the decryption key.

For the maximum level of security, encryption should be incorporated with the data in order to protect it during transfer, regardless of where it is shared, as well as during storage. Organizations have a responsibility to consumers and need to offer data-centric encryption layered into their data management solution for secure transfer of data when fulfilling data subject rights (DSRs). Under the California Civil Code Section 1798.81.5, an organization that processes a California resident’s personal data is obligated to implement and maintain reasonable security procedures and practices appropriate to the nature of the information it processes.

Encryption Laws Under LGPD

Just as the CCPA and GDPR, the LGPD (Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados Pessoais) does not specifically require organizations to encrypt their data, but still requires an organization to implement a reasonable amount of security when dealing with a consumer’s personal information. The easiest and most efficient way to obtain this is through encryption.

LGPD requires organizations to incorporate the best practice in data security for personal data. The LGPD notes that any personal data that has been encrypted or anonymized to a degree which makes it unintelligible and cannot easily be returned to its original state by those who might breach the data is no longer considered to be within the scope of the law.

Encryption Laws Under HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement some kind of data security in order to protect patient information from cyberattacks and data sprawl.

The HIPAA encryption requirements point towards technical safeguards relating to the encryption of Protected Health Information (PHI). This is defined as an addressable requirement. The HIPAA encryption requirements for transmission security state that covered entities should implement a mechanism to encrypt PHI whenever deemed appropriate. This instruction is considerably vague and open to interpretation.

In other words, HIPAA requires organizations to have some degree of security for protected health information, but if the organization can justify why they cannot implement encryption and can provide an equal alternative, they are not obligated to encrypt this data.

Encryption Laws Under PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA), in Canada, is a data privacy regulation that regulates the storage, usage and disclosure of personal information by private sector organizations.

Under the PIPEDA, a consumer’s personal information must be secured by safeguards which are appropriate to the sensitivity of the personal information, including technological measures, such as the use of passwords and encryption. The PIPEDA can fine organizations to up to $100,000 for noncompliance with PIPEDA.

Fines Associated With Encryption Laws

Although the CCPA, GDPR and LGPD contain no explicit fines associated with not implementing encryption, encryption may protect organizations from fines related to a data breach.

As for HIPAA and PIPEDA, it is required by the law that organizations have proper encryption set in place for the consumers personal information unless the organization can provide a viable reason as to why they are unable to implement encryption and provide an equal alternative. 

In the case an organization does have a solid reason for not encrypting they can be fined heavily, for example, The University of Rochester Medical Center (URMC) has paid a $3 million HIPAA penalty in part for the failure to encrypt mobile devices along with other HIPAA violations.

Encryption Best Practices

Encryption is an important part of any company‘s security, so find out what the best way is to implement data encryption in your organization to avoid making your organization more vulnerable to a data breach. 

What follows are some of the best practices for organizations to follow to ensure an efficient encryption system:

• The first and foremost point, which may seem obvious, is keep your encryption key secure. This is specifically mentioned as mistakes can be made which could allow unauthorized parties to access your data.
• It is paramount that all types of sensitive data is encrypted. As safe as you may think your data is, you know that several companies have been breached because they left important data unencrypted and someone gained access to it.
• Assess data encryption performance. Effective data encryption entails not just making your data unreadable to unauthorized parties, but doing so in a way that uses resources efficiently.
• Data can be at risk, both in transit (when being transferred) and at rest (stored for later use), and requires protection in both states. Encryption plays a crucial role in data protection in transit and at rest. Also in most of the cases, it is recommended to use a VPN if you need an extra layer of encryption.

Key Takeaway

Data encryption is a crucial part of any organization’s data security and secure data transfer.

With organizations bringing in zettabytes of data every year, incorporating data encryption practices should be viewed as part of any security efforts. In this era of data privacy, encryption is no longer an option, but rather a necessity and companies would do well to encrypt all their sensitive data.