Organizations large and small across all industries collect and process personal information, be it user information, customer information or employee information. Some of this information may be sensitive, other information may be subject to stricter laws in other countries. In our practice, among the many data protection requirements to which an organization may be subject (depending on a number of circumstances), security is one that too many organizations overlook. To some extent, this may be due to the fact that – with the exception of some sector-specific rules – many laws relating to the protection of personal information are non-specific when it comes to security standards. For a variety of reasons, data protection laws tend to espouse a somewhat esoteric notion of “reasonable” security measures commensurate to the sensitivity of the data and the nature of the processing – much to the chagrin of organizations hoping to easily ascertain the practical scope of their obligation to protect data. However, encryption is one method that is often specifically cited when it comes to data protection standards.
What is Encryption?
At a high level, encryption is the process of scrambling information and rendering it unintelligible, such that only someone with a “key” can decipher and read it. Simply put, an algorithm encrypts the data and the encryption key enables the receiving party to decrypt it. Data prior to encryption is referred to as plaintext, while the scrambled information is referred to as ciphertext. Only an authorized party with a key should (in theory) be able to revert ciphertext to plaintext – hence the term “decipher” – in order to access and read the data in its original state.
Data can be encrypted at rest and/or in transit, and there are different categories/levels of encryption, none of which we address here because this is, after all, a legal blog. Suffice to say, however, that encryption, when properly implemented, is generally viewed as a strong way to secure personal information.
Encryption for Data Protection
Many, if not most, U.S. state data breach laws exempt companies from their notification requirements where the personal information subject to the unauthorized access is encrypted, provided of course that the encryption key has also not been accessed or acquired. This is because encrypted data is unintelligible to those who have nefariously gained access to it, so long as the encryption key was not also accessed. Likewise, personal information that is encrypted will not trigger the CCPA’s limited (and potentially costly) private right of action in the event of a data breach. On the flip side, if certain types of personal information are subject to an unauthorized access and exfiltration, theft, or disclosure and are unencrypted, the CCPA carries statutory damages ranging from $100-$750 per consumer per incident or actual damages, whichever is greater. This can add up very quickly. Organizations that appropriately encrypt personal information and suffer a data breach may therefore be significantly more protected from fines and litigation.
On the other side of the pond, the GDPR specifically mentions the use of encryption as a technical and organizational measure (security), and in 2018, the then-Article 29 Working Party noted that the availability of strong and efficient encryption is a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy. More recently, the CJEU’s Schrems II case, which invalidated the Privacy Shield and generated confusion as to the validity of transfers of personal data outside of the EEA (read more here), brought encryption to the forefront. Among the technical supplementary measures identified to mitigate risks to data subjects, many pointed to the need for encryption, including the European Data Protection Board, which noted that encryption could constitute an adequate safeguard so long as keys remain within the EU or trusted third countries. Organizations that appropriately encrypt personal information may therefore also be in a better position to receive transfers of personal data from controllers in the EU. If your organization provides services that involve processing personal data to customers in the EEA, it will help as you navigate the increasingly prevalent requests for transfer impact assessments.
Other laws also specifically refer to encryption as a method for protecting personal information. Overall, while encryption is often a topic of debate especially when it comes to law enforcement, the general consensus is that appropriate encryption can enable organizations to demonstrate at least some level of data protection (though encryption alone is not sufficient).
What Should Organizations Consider with Respect to Encryption?
There are, of course, residual risks to encryption: even if a system uses encryption, certain data (e.g., metadata) may still be subject to an unauthorized access. In addition, encryption keys must be kept secure to avoid compromise. The loss of a key (even in the absence of an unauthorized access) is equally problematic because this will preclude anyone from accessing the data, and could, under certain circumstances, constitute a data breach. Additionally, key re-use should be avoided. In other words, using cryptography is one thing, but getting it right is equally as important. Nevertheless, organizations should learn to love encryption – and properly implement it. Among other things, it can be a “get out of jail free” card for data breaches, and it will boost your customers’ confidence in your ability (and willingness) to secure data.