When thinking about data encryption, businesses typically view this as a proactive measure to avoid security breaches. Naturally, this is correct – data that's encrypted is harder to hack – but what's often missed from the equation is how encryption can reduce organizational risk should a security breach still happen.
This is because of the impact encryption has on businesses' data breach reporting requirements. Many countries around the world now have data breach reporting rules, and these can attract serious liabilities. In the US, for example, 47 out of the 50 states have state-level data breach reporting requirements. Across the pond, EU-wide data protection rules currently require ISPs and telcos to report data breaches across each of the 28 different Member States. In fact, the EU is re-writing its data protection laws now, and expected to extend this reporting requirement across all sectors.
Data breach reporting takes two forms:
- First, businesses which suffer a data breach may have a duty to inform their local regulator – which they're often reluctant to do, since reporting may spark regulatory investigation and uncover compliance breaches resulting in penalties.
- Second, businesses may also need to inform the individuals whose data were compromised by the data breach – again, an unwelcome responsibility, since it often results in complaint, press coverage and adverse PR.
Further, specific reporting requirements as to the threshold for notifying, the timescale in which to notify, the specificity of the reporting required, the communication channel used etc. can vary widely from country-to-country and state-to-state, making it easy to see why no business wants to find itself in the position of needing to report a breach.
This is where encryption helps. US state laws generally provide a "safe harbor" from reporting data breaches if the data that was lost or stolen was encrypted. For example, California’s Senate Bill 1386 - which came into effect on 1 July 2003 - introduced a requirement to inform Californian residents of any actual or suspected security breach that compromises the “security, confidentiality or integrity"of the information, unless the data was encrypted.
The same is also true in the EU. The EU's current breach reporting requirements for ISPs and telcos say that "notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has … implemented appropriate technological protection measures … [that] render the data unintelligible to any person who is not authorised to access it" – in other words, if they data has been encrypted. This wording has been transposed, word for word, into the European Commission's proposals to extend data breach reporting requirements across all sectors.
The impact of encryption on data breach reporting responsibilities also holds true in certain countries outside of the US and EU. In Australia, for example, guidance from the Office of the Australian Information Commissioner says that "In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified", citing the use of encryption as a factor to consider when assessing the seriousness of a breach. If encryption has been applied, the risk of the breach becomes lower, in turn reducing the likelihood that individuals need to be notified.
In sum, encryption helps protect both against the likelihood of a security breach arising in the first place and the adverse consequences of the breach – both for the individuals whose data are compromised and also for the business in terms of mitigating its liabilities following the breach.
Phil Lee is a partner in the Privacy and Information Law Group at Fieldfisher and leads its US Office in Palo Alto California. You can e-mail him at firstname.lastname@example.org or follow him on Twitter @euprivacylawyer.