Code or Clear? Encryption Requirements under Information Privacy and Security Laws (Part 1)

“Exactly what data do we have to encrypt, and how?”

That’s a common question posed by IT and legal departments, HR and customer service managers, CIOs and information security professionals. In the past, they made their own choices about encryption, balancing the risks of compromised data against the costs of encryption. Those costs are measured not merely by expense but also by increased processing load, user-unfriendliness, and the remote but real possibility of lost or corrupted decryption keys resulting in inaccessible data. After weighing the costs and benefits, most enterprises decided against encryption for all but the most sensitive applications and data categories.

But changes in technology and law are making enterprises rethink that decision. Processing is faster and encryption software is cheaper and more reliable. There are now several efficient options for encrypting data in communications and on laptops and mobile storage devices, where historically data is most vulnerable. And at the same time, new compliance obligations and heightened litigation risks are pushing companies, government agencies, and nonprofits to explore these options and adopt a defensible policy toward data encryption.

From “Reasonable” to Specific

Legal and IT personnel are generally familiar with a traditional pattern in privacy laws: Security is always mandated, but the statutory language is usually limited to generalities, stating that a company must develop and implement “reasonable” or “appropriate” security measures proportional to the risk of harm if the information at issue is lost, altered, or obtained by unauthorized persons. This sort of language is found, for example, in HIPAA and GLBA, FTC guidance on fair trade practices, SEC internal control rules under Sarbanes-Oxley (SOX), the EU Data Protection Directive, and the personal information security laws of Canada, Japan, Australia, and other jurisdictions. Some laws (or regulations issued under those laws) emphasize that these safeguards must include technical, organizational, and physical security measures, but they typically do not specify what those measures must be.

This is because lawmakers are well aware that technology and criminal tactics are both constantly changing. There is an understandable reluctance to define appropriate security measures based on current technology and practices that may be outmoded within a year or two.
Nevertheless, the spate of personal information security breaches, some of them on a breathtaking scale, and the rise of identity theft as the fastest-growing criminal activity tracked by the FBI and several foreign law enforcement agencies, have pushed legislators and regulators to become increasingly specific in mandating security measures for especially sensitive or risky categories of personal data. That trend is reflected in the new generation of privacy and information security laws and regulations outlined below, with significant consequences for compliance practices.

Lawyers will appreciate that these increasingly specific security requirements have an impact not only in the compliance context but in civil litigation based on common-law doctrines of negligence, invasion of privacy, and breach of contract or on “unfair or deceptive trade practices” under FTC Act sec. 5 and parallel state laws. Many large-scale security breaches involving credit or debit card details or Social Security Numbers have resulted in civil litigation, much of it in the form of class actions, lawsuits filed by the attorneys general in several states, or “private attorney general” actions in California.

Companies increasingly deploy security measures such as encryption, strong passwords, and access logs to protect sensitive personal data in a wider range of IT applications, partly in response to litigation risks and new compliance obligations. But as they do so, public and judicial perceptions of “industry standard” safeguards and “reasonable” security practices change; the bar is set higher. It becomes harder to defend against an “unfair practices” or negligence complaint following a security breach by asserting that the plaintiff had no reasonable expectation of privacy or that the defendant acted as a “reasonable man” in storing and transmitting sensitive personal data without encryption, for example, or with unchanged, four-digit passwords.

Very few lawsuits involving consumer or employee privacy have proceeded to trial. They are usually settled – publicly, in the case of class actions and lawsuits brought by the FTC or a state attorney general. Settlements and FTC consent decrees have often included specific security undertakings, including encryption and password controls, to avoid future privacy violations.

The key, then, is not to focus solely on compliance within the scope of specific statutory requirements, but to look at the trends in these requirements as a guide to effective risk management in the litigation context as well.

There is clearly a trend toward requiring encryption of sensitive personal data (particularly the identifiers used commonly in ID theft, as well as medical information), especially when that information is transmitted over public networks or wirelessly, or when that information is stored on laptops, USB drives, smart phones, PDAs, and other portable devices. These are precisely the circumstances in which most large-scale personal data security breaches have occurred.
So far, companies have not normally been required to routinely encrypt all such data on secure servers or in data centers and storage media located on their premises (or those of their contractors), behind firewalls and internal network or VPN controls. Some companies have chosen to do so, however, to further reduce their risks of noncompliance or litigation exposure.

Sources of Legal Requirements

In the next installment, I’ll review recent US state and federal laws or regulations that push organizations to reconsider encryption, especially for data in transit and on portable devices. Then, we’ll look at the international scene, and finally at standards that are often incorporated in legal and regulatory decisions as well as in contracts.