WhatsApp has recently rolled out end-to-end encryption for all of its messages. While news outlets are reporting how this move coincides with Apple's recent refusal of the FBI's request to unlock the San Bernardino shooter's iPhone, it also coincides with Information Commissioner's Office ("ICO") recent publication of encryption guidelines ("Guidance") on 3 March 2016.
Under the UK's Data Protection Act 1998 (principle 7) Data Controllers must take appropriate technical and organisational measures against unlawful personal data processing, and accidental loss or destruction of, or damage to, personal data. The Guidance sets out the encryption measures that organisations should take to fulfil the requirement, and the ICO has flagged that if an organisation doesn't take up these measures and suffers a data loss, then they could be subject to an ICO monetary penalty.
Encryption: an overview
Encryption is a means to secure data so that unauthorised users cannot access it. Data is encoded using a key, and only users with access to the decoding key can decrypt the data and read the information. So in the WhatsApp example, if anyone intercepts a WhatsApp message being sent between devices, then provided both users have the most recent version of WhatsApp installed, the interceptor will only see a string of indecipherable letters and numbers.
The ICO issued the Guidance following a string of data loss incidents where data was stored on an unencrypted data storage unit such as a CD, USB or laptop. For example, the Greater Manchester Police were issued with a fine after an unencrypted USB stick containing personal data of over 1,000 people linked to investigations of serious organised crime was stolen from a police officer's home, and the North East Lincolnshire Council was issued with a monetary penalty after information stored on an unencrypted memory stick went missing which contained sensitive personal information about 286 children who attended local schools, including information about their mental and physical health problems and teaching requirements.
Does my organisation need to implement this Guidance?
Yes, if your organisation is a Data Controller. However, because the upcoming General Data Protection Regulation ("GDPR") extends Data Controller obligations to Data Processors, those acting as Data Processors should also consider implementing these requirements as a readiness measure.
Aside from industry specific standards, previously there were no general encryption standards that organisations were required to comply with. Compliance with encryption standards is currently more market-driven than legislation-driven, as encryption standards are often imposed contractually (i.e. an obligation to be ISO27001 certified), or are customer-imposed – for example, service providers to the UK Government are required to hold Cyber Essentials certification.
What does the Guidance prescribe I should do?
The Guidance distinguishes between measures for data when it is being stored ("data at rest") and while it is being transferred ("data in transit"). When personal data is stored, consider deploying the following measures:
- full disk encryption;
- encrypt files individually, or place files in encrypted containers; or
- use the encryption measures in applications and databases. For example, many cloud service providers, such as Amazon, now provide encryption measures whereby only the customer has the key, meaning that the cloud service provider does not have access to the customer's data, which provides the customer with strong assurance that its data is secure.
When personal data is in transit, consider the following measures:
- use encrypted communication protocols, such as Transport Layer Security ("TLS"); and
- encrypt communications when sending data over wi-fi or over untrusted networks, or to encrypt an individual file containing sensitive data, and then send the file across a communication channel.
The Guidance identifies residual risks that remain following deployment of such measures (such as an employee leaving an encrypted device in decrypted form by walking away from an unlocked laptop), and states that these risks should be addressed as part of an encryption policy.
The Guidance also sets out technical measures for how to effectively implement encryption measures, such as using the right algorithm, the right key size, the right encryption software, and keeping the key securely stored.
What about specific devices I use?
The Guidance prescribes measures for a range of devices and situations, such as CD, DVD, USB, email, Backups, Mobiles, Faxes (which is an unusual inclusion, given encryption measures can't be applied to traditional fax machines, though the guidance does recommend online fax services), body worn videos (watch out for your go-pros) and drones. While specific risks are identified in relation to each personal data storage device (such as CCTV storage units more likely to be stolen given they hold evidence of crime), the key theme across the piece is to encrypt data in transit and when at rest.
Many organisations do of course already employ such encryption methods and have been doing so for years, however if your organisation does not, now is the time to act to manage the vulnerability.