Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, a “key,” and a password to convert the information into readable text. Most statutes, regulations, and agencies that require companies to utilize encryption to protect data do not mandate that a specific encryption standard (i.e., algorithm) be used. Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length.

When examining whether a company’s use of encryption is reasonable and appropriate for the type of data collected and the risks posed to that data, regulators often examine whether a company utilizes encryption “at rest” and/or “in transit.” Encryption “at rest” refers to encryption applied to data while it is being stored. Encryption “in transit” refers to encryption applied to data while it is being transmitted across a network. Depending upon the type of software being used, and the architecture of a database, encryption at rest may significantly impair the ability of the data to be accessed and used efficiently. Regulators also look to whether the encryption standardize utilized either at rest or in transit has been publicly compromised or known vulnerabilities.

6

Number of states that require that sensitive information be encrypted when sent across public networks.1

1

Number of states which explicitly require that sensitive information be encrypted when sent wirelessly.2

1

Number of states which explicitly require that sensitive information be encrypted when stored on laptops or on portable devices.3

52

Data breach notification statutes that contain a safe harbor for encrypted data.4

87%

The number of locked devices in 2016 that the FBI claimed it could access despite widespread encryption technology.5

$900,000

Amount the FBI paid a private security firm to identify a vulnerability in the iPhone 5c that would allow the Bureau to crack phone’s encryption.6

What to think about when designing, or reviewing, an encryption policy:

  1. What types of data does our organization encrypt?
  2. Is the data encrypted at rest?
  3. Is the data encrypted in transit?
  4. Is the data encrypted when stored on personal storage devices?
  5. What encryption standards are used at rest and/or in transit?
  6. Are those encryption standards considered “strong” within the security community?
  7. Does your state require a specific encryption standard?
  8. Is there evidence that the encryption key could have been compromised?
  9. Is there a process to review the sufficiency of the encryption standard periodically (e.g., once per year)?
  10. Has your organization contractually agreed to maintain a specific encryption standard?