Code or Clear? Encryption Requirements (Part 3)
In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters – especially Social Security Numbers, driver’s license numbers, and bank account or payment card details – as well as for medical information, which individuals tend to consider especially sensitive. These concerns are not, of course, limited to the United States.
Data Protection Laws
Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain “reasonable” or “appropriate” or “proportional” security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.
Spain already requires encryption for personal financial data, as well as for the “sensitive” categories of data as defined in the EU Data Protection Directive (race, health or sexual life, trade union membership, political or religious opinion). Italy requires a written security policy for certain categories of sensitive data (including biometrics and geolocation tracking, both sometimes used in security badging system, and consumer profiling); the policy must specifically address encryption. France, Austria, and Belgium request information about encryption in their standard declaration forms for personal data processing activities, and official guidance in those countries cautions companies to address encryption in their written security policies. Switzerland’s federal data protection commission encourages multinationals to encrypt SSNs and other risky personal data in transmissions to outsourcing vendors or to parent or affiliate companies abroad. The Information Commissioner in the United Kingdom has threatened enforcement measures against companies and agencies that fail to secure personal data on laptops. Japan’s Financial Supervisory Agency has similarly issued warnings to financial institutions to encrypt financial data in transmission and on laptops.
Thus, on the international scene, encryption is becoming a mandatory checklist item to establish “reasonable” security for sensitive categories of data, with “sensitive” defined more broadly than the limited data categories covered by US federal and state laws. Unlike the trend in US laws and regulations, there is seldom a specific reference to government or industry encryption standards. However, it would be difficult to defend an organization’s security measures for sensitive data as “reasonable” without reference to such standards or industry practices.
Security Breach Notification Laws
Outside the US, Japan has also formalized breach notice requirements. These are not consistent; they vary according to the regulations or recommendations of the relevant ministry – with regard, for example, to the number of files or the categories of data that trigger notification to either the public or to the ministry. Many companies are subject to overlapping ministerial jurisdiction and so tend to follow the stricter standards of the Financial Services Agency or the Ministry of Economy, Trade, and Industry (METI) in the event of a data breach. Thus, in both the US (because of varying state laws) and Japan (because of different standards among supervisory authorities), there is not a uniform approach to data breach notice.
Initially, privacy and data protection officials in the European Union, Canada, Australia, and other jurisdictions with comprehensive data protection laws rejected the US trend toward breach notice laws. Some argued that these were an inadequate solution to the problem of ID theft, focusing only on transparency rather than ensuring minimum levels of acceptable security. Others argued that special breach notice laws should not be necessary. Existing data protection laws already require notice to individuals when personal data are transferred to another “data controller,” and thus notice should be given when an unauthorized “controller” takes possession of the data. Moreover, where notification to the data protection authorities is routinely required (as in many European countries that require “registration” of personal data processing activities with a supervisory authority), a data controller is typically obliged to notify the authorities concerning any material changes – such as the failure of its notified security program and the unintended transfer of protected personal data to a third party.
Despite these provisions of current data protection laws, enterprises outside the US and Japan for the most part have less commonly given notice of data breaches involving personal data. Data protection authorities have contacted some enterprises when breaches were discovered and in some cases have publicly condemned the enterprise for failing to warn individuals affected by a data breach. In 2008, for example, the UK Information Commissioner sent an Enforcement Notice to retailer Marks & Spencer, criticizing the company for failing to notify affected individuals when a laptop containing unencrypted personal data on 26,000 pension plan participants was stolen in a burglary. Sectoral regulators have in some instances imposed sanctions for large-scale breach events. The UK Financial Services Authority (FSA), for example, fined Nationwide Building Society nearly $2 million in 2007 following a stolen laptop incident compromising unencrypted customer data.
Partly because of such episodes, there is renewed interest abroad in adopting data breach notification or “data leak” laws that would require notice to affected individuals (and typically to the authorities as well) where unencrypted personal data is lost or stolen. Such proposals are under consideration in Canada and Australia as well as in the UK and several other European countries. Proposed amendments to the EU Directive on Privacy and Electronic Communications (the “E-Privacy Directive") would require breach notice by providers of electronic communications services. The scope of this term is still debated; it might include employers, universities, and even owners of apartment buildings. The current proposal would make an exemption from the obligation to notify where “appropriate technological measures” (such as encryption) were applied to the data. As in most US laws, the proposal does not specify a particular kind of encryption that qualifies for the exemption. Relying on widely accepted industry and government standards is one way, however, to establish a defensible approach to both security and breach notification.
Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)
“Exactly what data do we have to encrypt, and how?”
That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.
But changes in technology and law are making enterprises rethink that decision. Processing is faster and encryption software is cheaper and more reliable. There are now several efficient options for encrypting data in communications and on laptops and mobile storage devices, where historically data is most vulnerable. And at the same time, new compliance obligations and heightened litigation risks are pushing companies, government agencies, and nonprofits to explore these options and adopt a defensible policy toward data encryption.
From “Reasonable” to Specific
Legal and IT personnel are generally familiar with a traditional pattern in privacy laws: Security is always mandated, but the statutory language is usually limited to generalities, stating that a company must develop and implement “reasonable” or “appropriate” security measures proportional to the risk of harm if the information at issue is lost, altered, or obtained by unauthorized persons. This sort of language is found, for example, in HIPAA and GLBA, FTC guidance on fair trade practices, SEC internal control rules under Sarbanes-Oxley (SOX), the EU Data Protection Directive, and the personal information security laws of Canada, Japan, Australia, and other jurisdictions. Some laws (or regulations issued under those laws) emphasize that these safeguards must include technical, organizational, and physical security measures, but they typically do not specify what those measures must be.
This is because lawmakers are well aware that technology and criminal tactics are both constantly changing. There is an understandable reluctance to define appropriate security measures based on current technology and practices that may be outmoded within a year or two.
Nevertheless, the spate of personal information security breaches, some of them on a breathtaking scale, and the rise of identity theft as the fastest-growing criminal activity tracked by the FBI and several foreign law enforcement agencies, have pushed legislators and regulators to become increasingly specific in mandating security measures for especially sensitive or risky categories of personal data. That trend is reflected in the new generation of privacy and information security laws and regulations outlined below, with significant consequences for compliance practices.
Lawyers will appreciate that these increasingly specific security requirements have an impact not only in the compliance context but in civil litigation based on common-law doctrines of negligence, invasion of privacy, and breach of contract or on “unfair or deceptive trade practices” under FTC Act sec. 5 and parallel state laws. Many large-scale security breaches involving credit or debit card details or Social Security Numbers have resulted in civil litigation, much of it in the form of class actions, lawsuits filed by the attorneys general in several states, or “private attorney general” actions in California.
Companies increasingly deploy security measures such as encryption, strong passwords, and access logs to protect sensitive personal data in a wider range of IT applications, partly in response to litigation risks and new compliance obligations. But as they do so, public and judicial perceptions of “industry standard” safeguards and “reasonable” security practices change; the bar is set higher. It becomes harder to defend against an “unfair practices” or negligence complaint following a security breach by asserting that the plaintiff had no reasonable expectation of privacy or that the defendant acted as a “reasonable man” in storing and transmitting sensitive personal data without encryption, for example, or with unchanged, four-digit passwords.
Very few lawsuits involving consumer or employee privacy have proceeded to trial. They are usually settled – publicly, in the case of class actions and lawsuits brought by the FTC or a state attorney general. Settlements and FTC consent decrees have often included specific security undertakings, including encryption and password controls, to avoid future privacy violations.
The key, then, is not to focus solely on compliance within the scope of specific statutory requirements, but to look at the trends in these requirements as a guide to effective risk management in the litigation context as well.
There is clearly a trend toward requiring encryption of sensitive personal data (particularly the identifiers used commonly in ID theft, as well as medical information), especially when that information is transmitted over public networks or wirelessly, or when that information is stored on laptops, USB drives, smart phones, PDAs, and other portable devices. These are precisely the circumstances in which most large-scale personal data security breaches have occurred.
So far, companies have not normally been required to routinely encrypt all such data on secure servers or in data centers and storage media located on their premises (or those of their contractors), behind firewalls and internal network or VPN controls. Some companies have chosen to do so, however, to further reduce their risks of noncompliance or litigation exposure.
Sources of Legal Requirements
In the next installment, I’ll review recent US state and federal laws or regulations that push organizations to reconsider encryption, especially for data in transit and on portable devices. Then, we’ll look at the international scene, and finally at standards that are often incorporated in legal and regulatory decisions as well as in contracts.
