Encryption

BCLP
Contact
LinkedIn
Facebook
X
Send
Embed

Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, a “key,” and a password to convert the information into readable text.  Most statutes, regulations, and agencies that require companies to utilize encryption to protect data do not mandate that a specific encryption standard (i.e., algorithm) be used.  Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length.

When examining whether a company’s use of encryption is reasonable and appropriate for the type of data collected and the risks posed to that data, regulators often examine whether a company utilizes encryption “at rest” and/or “in transit.”  Encryption “at rest” refers to encryption applied to data while it is being stored.  Encryption “in transit” refers to encryption applied to data while it is being transmitted across a network.  Depending upon the type of software being used, and the architecture of a database, encryption at rest may significantly impair the ability of the data to be accessed and used efficiently.  Regulators also look to whether the encryption standardize utilized either at rest or in transit has been publicly compromised or known vulnerabilities.

6

Number of states that require that sensitive information be encrypted when sent across public networks.1

1

Number of states which explicitly require that sensitive information be encrypted when sent wirelessly.2

1

Number of states which explicitly require that sensitive information be encrypted when stored on laptops or on portable devices.3

52

Data breach notification statutes that contain a safe harbor for encrypted data.4

87%

The number of locked devices in 2016 that the FBI claimed it could access despite widespread encryption technology.5

$900,000

Amount the FBI paid a private security firm to identify a vulnerability in the iPhone 5c that would allow the Bureau to crack phone’s encryption.6

What to think about when designing, or reviewing, an encryption policy:

  1. What types of data does our organization encrypt?
  2. Is the data encrypted at rest?
  3. Is the data encrypted in transit?
  4. Is the data encrypted when stored on personal storage devices?
  5. What encryption standards are used at rest and/or in transit?
  6. Are those encryption standards considered “strong” within the security community?
  7. Does your state require a specific encryption standard?
  8. Is there evidence that the encryption key could have been compromised?
  9. Is there a process to review the sufficiency of the encryption standard periodically (e.g., once per year)?
  10. Has your organization contractually agreed to maintain a specific encryption standard?

1. Bryan Cave Survey of State Safeguard Statutes (2015).

2. Id.

3. Id.

4. Id. Applies where the encryption key has not been acquired.

5. The FBI’s Approach to the Cyber Threat, remarks delivered by James Comey, Director of the Federal Bureau of Investigation (August, 30, 2016), available at: https://www.fbi.gov/news/speeches/the-fbis-approach-to-the-cyber-threat.

6. CNBC, Senator Reveals that the FBI Paid $900,000 to Hack into San Bernadino Killer’s iPhone (May 8, 2017) available at https://www.cnbc.com/2017/05/05/dianne-feinstein-reveals-fbi-paid-900000-to-hack-into-killers-iphone.html.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BCLP | Attorney Advertising

Written by:

BCLP
BCLP
Contact
more
less

BCLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide