computer-codeWe strongly encourage companies possessing or transmitting personally identifiable information (PII), protected health information (PHI), financial or other sensitive data, including trade secrets, to use encryption. Why?  Because, if employed properly, it is both effective and legally defensible.

So what is encryption?

Encryption is a type of information security. It involves the coding and decoding of messages in order to protect private content from third parties. In its earliest form, encryption was essentially letter substitution (e.g., substituting the letter “a” for the letter “p” in a message). Today, encryption is much more complex than that. It usually involves the development of a shared secret key, the application of an encryption algorithm to your data to create a ciphertext, and, in many cases, the use of what is called a nonce (or “IV”), which is introduced into the data exchange to prevent repetitive sequences in the encrypted text (since such repetitions could allow the encryption to be broken).

The two basic forms of encryption are stream ciphers and block ciphers.  Stream ciphers employ a single use key.  The historical “one time pad” and once-trusty RC4 are examples of stream ciphers. This type of encryption is generally used for things like email, since the cipher can only be securely used one time.  Block ciphers, in contrast, employ many use keys. Two of the most common block ciphers used today are 3DES and AES, both of which are approved by NIST.  See here and here.  Block ciphers are used for things like SSL (i.e., Internet packet encryption), since the cipher is created through an iterative process that allows the shared key to be used securely multiple times.

That’s the encryption short tour. For a deeper dive, from an expert, go here.

Why should you use it?

You should use encryption because it gives you legal protection. Few laws specifically require encryption. HIPAA generally doesn’t.  State statutes don’t.  Nor does the Gramm Leach Bliley Act’s Safeguard’s Rule.  Yet if you are not encrypting PII, PHI, or financial data, you are putting yourself at risk. Those laws expect you to take reasonable precautions.  And using encryption, and using it properly, is a reasonable precaution when it comes to dealing with sensitive data.  HIPAA, for example, provides that encryption should be used where “the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability” of the information or else implement an “equivalent alternative measure if reasonable and appropriate,” and document why encryption wasn’t the best choice.

Encryption also helps to avoid costly breaches. The HIPAA breach notification rule is only triggered if the PHI is “unsecured.”  So if the data has been made “unusable, unreadable, or indecipherable to unauthorized individuals” – say, through encryption – then there is no reportable breach.  And almost every state and territory breach notification statute follows this same approach. The thinking is that, since the data is encrypted, it is not feasible for someone to break the encryption to get to the underlying information, so the information is never really exposed. If, however, the incident involves a person with access to the encryption key and the individual or entity reasonably believes that such breach has caused or will cause identity theft or other fraud, then, under most statutes, there will be a breach, and notification will still be required.

The bottom line is that if you’re a company that handles sensitive data – including PII, PHI, financial data, trade secrets, etc. –  you will want to use encryption as one line of your layered defense against cyberattacks, theft, and other information disclosure risks.