The Encryption “Magic Bullet”


Every organization in business today is holding personal information about individuals. Whether they are consumers, customers, clients, patients, employees, or business partners, you collect a mass of personal information about them, such as Social Security numbers (SSNs) and other government-issued identifiers, consumer reports, background checks, test results, medical files, financial or health information, and perhaps even biometric data.

Forty-six states, the District of Columbia, the Virgin Islands, Puerto Rico, the Federal Trade Commission, Federal Financial Regulators, and the Department of Health and Human Services all have adopted some form of notification requirement that will obligate you to notify individuals if their information is affected by a security breach. You also may have to notify regulators, consumer reporting agencies, and the media, depending on which laws are implicated. But these laws, despite their diversity on other topics, all have one thing in common: if the data affected was encrypted and the encryption key was not compromised, the breach does not have to be reported. With the average security breach estimated to cost $6.75 million (according to the Ponemon Institute’s 2009 study on the topic), is it any surprise that organizations are rushing out to purchase encryption solutions for their laptops, thumb drives, PDAs, and even internal systems? In fact, encryption is required in certain circumstances by HIPAA, Nevada state law, Massachusetts regulations, and numerous state laws governing use of SSNs.

But before you hurry out to snap up the first encryption package a vendor dangles in front of you, please make sure the solution will actually provide the “magic bullet” you are seeking. Be aware that the laws at issue vary in what they are willing to consider “encryption.”

Please see full article below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:


Poyner Spruill LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.