The increasingly connected world in which we live and work provides significant convenience. Both work and leisure activities have benefited greatly from advances in technology that allow people and businesses to connect in a virtual world. Along with those conveniences, however, have come some hidden, and some not so hidden, risks. As more and more people have come on line, the proliferation of personal data has created an opportunity for data thieves and fraudsters. As data compromises became more frequent, consumers became more and more concerned about the safety of their data. Often, consumers were unaware that their data had been stolen until they noticed unusual activity or their payment card was suspended to prevent fraudulent activity. To counter this phenomenon, a new class of laws was created – the data breach notification law. While these laws have been around for more than ten years, there is still much confusion surrounding them, and particularly around the safe harbor provisions that are included in many of them.
Data breach notification laws require that breached entities notify individuals that may have been affected by a loss of their personally identifiable data. Personally identifiable data is frequently defined as first initial and last name in conjunction with:
- Government identification number (social security number)
- Financial account number with password or other credential with which one can gain access to the account
- Driver’s License number
- Date of birth
Some states have much more broad definitions that include digital identity information, such as IP address. Given that more than 40 states now have data breach notification laws, it is important to understand these laws and how your specific business model and geographic footprint impacts your business’ obligations under these laws. Despite the often disparate clauses and terms of these laws, most include common language that provides “safe harbor” for companies that may suffer a breach, but have encrypted any stored personally identifiable data. There are important caveats to this safe harbor, though, and following will be a brief discussion of some of those.
The first caveat is that some states do not provide a safe harbor for encrypted data. The number of laws and the variance between them makes it vitally important to work with your counsel to determine the best way to ensure compliance. That being said, because companies very often do business in more than one state, encryption is still an important part of compliance with data breach notification laws.
Secondly, those states that do provide a safe harbor for encrypted data specify that the safe harbor only applies if the keys were not also compromised. This caveat is of vital importance. Some database applications provide a native encryption application, however, they often store the encryption keys in the same files in which the databases can be found. The practice of storing the keys in the same location as the database being “protected” can best be described as poor data security. The same charge can be leveled at whole disk encryption. If the administrative password for the disk is compromised, the encryption keys protecting the sensitive data would also be compromised. In either case, the notification requirement would be triggered, even by those states providing the safe harbor for encryption. Strong key management is essential, not just for compliance, but for the protection of sensitive data. Encryption without strong key management is inadequate at best, and can be dangerous for your business and your customers.
*Please note that this post does not constitute legal advice. When a question arises about regulatory compliance, it is always best to seek advice from your legal counsel.