Code or Clear? Encryption Requirements (Part 3)

In other posts, I addressed the trend in the United States to require encryption for certain categories of personal data that are sought by ID thieves and fraudsters – especially Social Security Numbers, driver’s license numbers, and bank account or payment card details – as well as for medical information, which individuals tend to consider especially sensitive.  These concerns are not, of course, limited to the United States.

Data Protection Laws

Comprehensive data protection laws in Europe, Canada, Japan, Australia, New Zealand and elsewhere include general obligations to maintain “reasonable” or “appropriate” or “proportional” security measures, usually without further elaboration. Some nations have gone further, however, to specify security measures.

Spain already requires encryption for personal financial data, as well as for the “sensitive” categories of data as defined in the EU Data Protection Directive (race, health or sexual life, trade union membership, political or religious opinion). Italy requires a written security policy for certain categories of sensitive data (including biometrics and geolocation tracking, both sometimes used in security badging system, and consumer profiling); the policy must specifically address encryption. France, Austria, and Belgium request information about encryption in their standard declaration forms for personal data processing activities, and official guidance in those countries cautions companies to address encryption in their written security policies. Switzerland’s federal data protection commission encourages multinationals to encrypt SSNs and other risky personal data in transmissions to outsourcing vendors or to parent or affiliate companies abroad. The Information Commissioner in the United Kingdom has threatened enforcement measures against companies and agencies that fail to secure personal data on laptops. Japan’s Financial Supervisory Agency has similarly issued warnings to financial institutions to encrypt financial data in transmission and on laptops.

Thus, on the international scene, encryption is becoming a mandatory checklist item to establish “reasonable” security for sensitive categories of data, with “sensitive” defined more broadly than the limited data categories covered by US federal and state laws. Unlike the trend in US laws and regulations, there is seldom a specific reference to government or industry encryption standards. However, it would be difficult to defend an organization’s security measures for sensitive data as “reasonable” without reference to such standards or industry practices.

Security Breach Notification Laws

Outside the US, Japan has also formalized breach notice requirements. These are not consistent; they vary according to the regulations or recommendations of the relevant ministry – with regard, for example, to the number of files or the categories of data that trigger notification to either the public or to the ministry. Many companies are subject to overlapping ministerial jurisdiction and so tend to follow the stricter standards of the Financial Services Agency or the Ministry of Economy, Trade, and Industry (METI) in the event of a data breach. Thus, in both the US (because of varying state laws) and Japan (because of different standards among supervisory authorities), there is not a uniform approach to data breach notice.

Initially, privacy and data protection officials in the European Union, Canada, Australia, and other jurisdictions with comprehensive data protection laws rejected the US trend toward breach notice laws. Some argued that these were an inadequate solution to the problem of ID theft, focusing only on transparency rather than ensuring minimum levels of acceptable security. Others argued that special breach notice laws should not be necessary. Existing data protection laws already require notice to individuals when personal data are transferred to another “data controller,” and thus notice should be given when an unauthorized “controller” takes possession of the data. Moreover, where notification to the data protection authorities is routinely required (as in many European countries that require “registration” of personal data processing activities with a supervisory authority), a data controller is typically obliged to notify the authorities concerning any material changes – such as the failure of its notified security program and the unintended transfer of protected personal data to a third party.

Despite these provisions of current data protection laws, enterprises outside the US and Japan for the most part have less commonly given notice of data breaches involving personal data. Data protection authorities have contacted some enterprises when breaches were discovered and in some cases have publicly condemned the enterprise for failing to warn individuals affected by a data breach. In 2008, for example, the UK Information Commissioner sent an Enforcement Notice to retailer Marks & Spencer, criticizing the company for failing to notify affected individuals when a laptop containing unencrypted personal data on 26,000 pension plan participants was stolen in a burglary. Sectoral regulators have in some instances imposed sanctions for large-scale breach events. The UK Financial Services Authority (FSA), for example, fined Nationwide Building Society nearly $2 million in 2007 following a stolen laptop incident compromising unencrypted customer data.

Partly because of such episodes, there is renewed interest abroad in adopting data breach notification or “data leak” laws that would require notice to affected individuals (and typically to the authorities as well) where unencrypted personal data is lost or stolen. Such proposals are under consideration in Canada and Australia as well as in the UK and several other European countries. Proposed amendments to the EU Directive on Privacy and Electronic Communications (the “E-Privacy Directive") would require breach notice by providers of electronic communications services. The scope of this term is still debated; it might include employers, universities, and even owners of apartment buildings. The current proposal would make an exemption from the obligation to notify where “appropriate technological measures” (such as encryption) were applied to the data. As in most US laws, the proposal does not specify a particular kind of encryption that qualifies for the exemption. Relying on widely accepted industry and government standards is one way, however, to establish a defensible approach to both security and breach notification.