Internet Law Uncategorized

Cybersecurity For Small Businesses Tip #1 – Lock It Up (Encrypt)

In honor of National Cybersecurity Awareness Month, we’re
sharing our top practical tips for small businesses to keep their data
secure.  Tip #1 is encryption.  The National Institute of Standards and
Technology (NIST) defines encryption as “the process of
transforming plaintext into ciphertext using a cryptographic algorithm and key.
”  In plain terms, encryption is the process of securing
data by using a digital lock and key. 

The premise behind encryption is pretty simple.  If you want to keep private papers from
prying eyes, how would you do it?  You
could put the papers in a safe.  Only
someone who knows the combination to the safe can open it and access the papers
inside.  Encryption does the same thing
to data, except using digital methods.  Encryption
essentially “locks” data by scrambling it so it becomes unintelligible to
anyone who doesn’t have the “key” necessary to unscramble it.  The idea is that scrambled data is useless to
anyone who can’t unscramble it.  It
doesn’t matter if the encrypted data falls into the hands of a hacker or is
released to the public due to a data security breach.  Data that looks like gibberish isn’t very useful.

Understanding this principle is the key to minimizing legal liability under data privacy laws.  Take Hawaii’s data breach notification law, for example.  The breach notification requirements of Hawaii Revised Statutes chapter 487N-2 apply when a “security breach” has occurred.  The term “security breach” refers to “an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.”  Did you catch the reference to “unencrypted” records?  If data that is the subject of a breach incident acquisition is encrypted, then a “security breach” did not happen for purposes of HRS 487N-2, and compliance with the breach notification requirements of the statute is unnecessary.

The California Consumer Privacy Act (CCPA) that will take effect on January 1, 2020 is another example.  A business can be sued by a consumer whose “nonencrypted or nonredacted personal information” is subject to unauthorized access and is copied, transferred, stolen, or disclosed due to the business’s failure to use reasonable security procedures.   Want to reduce exposure to private lawsuits under the CCPA?  Encrypt consumer data.

The General Data Protection Regulation (GDPR) isn’t quite as
black-and-white in carving out liability for encrypted data, but the law
certainly incentivizes encryption.  For
example, Article 34 of the GDPR
provides a safe harbor from the data breach notifications where “the controller
has implemented appropriate technical and organizational protection measures,
and those measures were applied to the personal data affected by the personal
data breach, in particular those that render the personal data unintelligible
to any person who is not authorized to access it, such as encryption.”  (Emphasis added.)  While encryption won’t guarantee exemption
from the GDPR’s data breach notification requirements, failure to encrypt data almost
certainly would trigger the requirements.

It should be fairly obvious by now that encrypting sensitive
data is a highly recommended, if not mandatory, cybersecurity measure.  How encryption fits into your cybersecurity program
depends on your organization’s IT system, the type of data at issue, operational
needs, and cost, among other factors. 
Encryption can deployed at different stages of the data lifecycle.  Encryption can also be paired with other data
security practices such as pseudonymization and anonymization.  Consult a cybersecurity expert and privacy
lawyer to determine how best to use encryption to secure your data and minimize
legal liability.

Leave a Reply

Your email address will not be published. Required fields are marked *

  ⁄  four  =  1