Take a proactive approach towards your organization’s security and compliance by gaining a greater understanding of current industry regulations for the GDPR, CCPA, LGPD, and HIPAA regarding encryption
In this age, organizations are dealing with an extraordinary volume of data — everything from personally identifiable information (PII) and protected health information (PHI) to financial records and other sensitive information. According to research from Seagate and the International Data Corporation (IDC), the global datasphere is forecast to reach 175 zettabytes by 2025. To put it into perspective, researchers at IBM’s Almaden, California research lab are building the world’s largest data array, which can hold only 0.00012 zettabytes of data. If you tried to store 175 zettabytes on your home computer, you’d need at least 175 billion PCs to store all the data!
Although data is seen as an asset for organizations, this amount of data can be seen as a risk as it gives hackers and risks of data sprawl a larger area to work with. In order to avoid these risks, organizations are required to encrypt their data as per global privacy regulations, and rightfully so. These encryption regulations and laws can help organizations mitigate risks and stop data sprawl and cyberattacks before they occur.
But what exactly are the standards and requirements in terms of GDPR encryption, HIPAA encryption, CCPA encryption, and LGPD, or what’s known as the Brazilian general data protection law?
Let’s hash it out.
What is Data Encryption?
In the simplest form, data encryption can be defined as translating data in a different form that can not be deciphered (decrypted) without the help of a special key. Encrypted data is known as ciphertext, whereas unencrypted data can be defined as plaintext. Encryption is one of the most common and effective processes organizations can incorporate to increase data security and facilitate secure communications.
The primary purpose of data encryption is to protect an organization’s digital data confidentiality. Data, which is stored on servers and computer systems, is transmitted using the insecure internet or other potentially insecure computer networks. Storing unencrypted data can jeopardize the confidentiality of the data and make it prey to data sprawl and hacking.
Modern encryption algorithms play a crucial role in the security of data and communication. These algorithms provide confidentiality and other key security advantages, including affirming file integrity, authentication, and non-repudiation:
- authentication assists in the verification of a message’s origin,
- integrity offers proof that the contents of the message have not changed since it was sent, and
- non-repudiation ensures that a message sender cannot deny sending the message.
So, what does all this have to do with privacy regulations and data encryption laws like the European Union’s General Data Protection Act (GDPR), the California Consumer Privacy Act (CCPA), Brazil’s LGPD, and the Health Insurance Portability and Accountability Act? Let’s explore this a bit more in depth.
Do Data Privacy Laws Require Encryption?
Although all data privacy laws and regulations may not explicitly ask organizations to implement encryption in their systems, it’s highly recommended as it mitigates the risk associated with data breach. Data from IBM Security’s 2019 Cost of a Data Breach report put the average cost of a data breach at $3.92 million. Not only this, but around 276 health data breaches were reported to regulators last year — including hacking incidents and thefts of unencrypted devices — already have been added to the official federal tally, with business associates involved in six of the largest incidents.
If encrypted data is breached, organizations are less likely to face fines and penalties because the data itself is unintelligible ciphertext that can’t be read by any cybercriminals who get their hands on it.
GDPR Encryption Requirements
The GDPR is one of the largest data privacy regulations in the world and aims to protect the privacy of people located in the EU. Although this may seem EU specific, it’s not. Virtually the whole world interacts with the EU in one way or another, which means that businesses around the world need to comply with the GDPR as well.
The General Data Protection Regulation recognizes the importance of encryption, which is why under article 32 “security of processing,” the GDPR states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Reading this may make it seem that encryption is only but a suggestion under the GDPR, but recital 83 states:
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.”
The GDPR requires organizations to incorporate encryption in order to protect consumers’ data and to mitigate the risks associated with data transfers (such as data sprawl or cyberattacks).
CCPA Encryption Requirements
Under the California Consumer Privacy Act, there’s no explicit mention of requiring encryption measures, although organizations are wise to do so. That’s because even though there may not be an explicit requirement for data encryption, there are fines associated with data breaches involving “nonencrypted or nonredacted personal information” (up to $750 per consumer per incident or actual damages). These fines may be waived in cases where encryption is used since the breached data is encrypted and unintelligible without the decryption key.
For the highest level of security, encryption should be used to protect data both while it’s at rest and in transit, regardless of where it is shared. Organizations have a responsibility to their consumers and need to layer data-centric encryption into their data management solution to facilitate the secure transfer of data when fulfilling data subject requests (DSRs).
Under the California Civil Code Section 1798.81.5, an organization or business that meets specific requirements and processes a California residents’ personal data is obligated to implement and maintain reasonable security procedures and practices appropriate to the nature of the information it processes. This is where “reasonable security” considerations must be given.
LGPD Encryption Requirements
According to an article from the International Association of Privacy Professionals (IAPP), Brazil has drafted more than 40 legal norms on a federal level that deal with data privacy. The only downside of these laws is that they are sectoral, meaning that they’re related to specific industries and don’t cover all aspects at an overall level. This is why the new data protection law of Brazil, known as the LGPD (which stands for Lei Geral de Proteção de Dados Pessoais), was drafted to provide a more comprehensive and overall regulatory framework.
The Lei Geral de Proteção de Dados Pessoais is closely modelled after the GDPR and contains sixty-five articles. It was passed on Aug. 14, 2018 and sanctioned by President Jair Bolsonaro in July 2019. The enforcement date is set to be Aug. 15, 2020.
Just as with the GDPR and CCPA, the LGPD (Brazil’s General Data Protection Law / Lei Geral de Proteção de Dados Pessoais) does not explicitly require organizations to encrypt their data, but still requires a reasonable amount of security when dealing with a consumer’s personal information. The easiest and most efficient way to facilitate this is through the use of encryption.
Under the LGPD, organizations must incorporate best practices in cybersecurity and data security for personal data. The LGPD notes that the law doesn’t apply to any personal data that’s encrypted or anonymized to a degree that makes it unintelligible and can’t easily be returned to its original state by those who might breach the data.
HIPAA Encryption Requirements
The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers, also known as covered entities, to implement data security in order to protect their patients’ information from disclosure.
The HIPAA encryption requirements can seem confusing when it comes to understanding what’s required (or not) in terms of security and data protection. The reason being that the technical safeguards relating to the encryption of protected health information are defined as “addressable” requirements. The HIPAA encryption requirements for transmission security state that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate.” This instruction is considerably vague and open to interpretation — hence, the confusion.
In other words, HIPAA does require organizations, or covered entities, to have some degree of security for PHI. Organizations are obligated to encrypt their data unless they can justify why they can’t implement encryption and can provide an equal alternative.
Fines Associated with Different Encryption Laws and Regulations
Under the CCPA, GDPR and LGPD, there are no specific fines that are associated with not implementing encryption. However, organizations may be able to avoid fines related to a data breach if proper encryption is implemented. For example, if an organization has proper encryption in place, in case of a data breach, they likely will not be penalized as the data breached is encrypted.
As for HIPAA, the law requires that organizations have proper encryption set in place for protected health information unless the organization can provide a solid reason as to why they can’t implement encryption and provide an equal alternative.
Even in a situation where an organization does claim to have a solid reason for not encrypting, they can still be fined heavily for not doing so. For example, The University of Rochester Medical Center (URMC) paid a $3 million penalty for their failure to encrypt mobile devices in addition to other HIPAA violations.
Last year, British Airways was fined £184 million ($230 million) for violating the EU’s General Data Protection Regulation. Consumers’ data was breached due to the organization’s poor security posture at the time of the breach. ICO said “The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”
Data Encryption Best Practices
Regardless of whether the GDPR, CCPA, & HIPAA applies to your organization, or another regulation does (such as the Payment Card Industry Data Security Standards), encryption is an integral part of any organization’s security. As such, it’s important to keep in mind the best ways to implement data encryption to avoid any kind of mishap or loophole that can make your organization vulnerable to a data breach.
Here are a few of the best practices that organizations can incorporate in order to have an efficient encryption system:
Keep Your Encryption Key Secure
The first point may seem obvious, but it’s critical. This is specifically mentioned because it’s an easy mistake that could allow unauthorized parties to access your data. For example, if your encryption key is in a plaintext file on your PC, there’s a strong chance that someone could find it and cause damage.
A few solutions to tackle this could be to:
- separate the keys from the data,
- limit access of users, and
- rotate your keys on a schedule.
Encrypt All Sensitive Data
It’s paramount that all types of sensitive data is encrypted. As safe you may think your data is, you know that several companies have been breached because they left important data unencrypted and someone gained access to it. By encrypting your data, you make it much harder for someone who is able to breach your systems with malicious intentions.
Assess Data Encryption Performance
Effective data encryption entails not just making your data unreadable to unauthorized parties, but doing so in a way that uses resources efficiently. If it is taking too long or consuming too much CPU time and memory to encrypt your data, consider switching to a different algorithm or experimenting with settings in your data encryption tools.
Protect Data in Transit and at Rest
Encryption plays a crucial role in data protection and is used to secure data both in transit (while it’s being transmitted) and at rest (stored for later use). Enterprises often choose to encrypt sensitive data prior to moving and/or use encrypted connections (HTTPS, SSL, TLS, FTPS, etc.) to protect the contents of data in transit. To protect data at rest, enterprises can simply encrypt sensitive files prior to storing them and/or choose to encrypt the storage drive itself. To protect data in transit, they can install SSL/TLS certificates on their servers.
Encrypt Data in Your Databases
While other security tools protect a system from intrusion or attack, encryption of your database is a main form of defense that deals with security of the data. This means that even in the event of a system breach, compromised data is still only readable to users with the encryption key.
Implement S/MIME to Secure Email Communications
The secure/multipurpose internet mail extension (S/MIME) allows organizations to send end-to-end encrypted emails and fill any holes for data sprawl. A lot of sensitive data is communicated via email, and this is the best way to ensure these emails are secure.
Data encryption is an important part of any organization’s data security and facilitates secure communication. Some privacy regulations such as the GDPR, CCPA and LGPD mandate encryption, while some may not explicitly specify the use of encryption, but it’s still recommended. Privacy regulations frequently penalize organizations in cases of data breaches, but these penalties can be avoided in cases where the data is encrypted, as the person that breached the data can’t decipher it without the decryption key.
With zettabytes of data being created annually, organizations need to incorporate the best practices for data encryption in order to avoid any sort of data sprawl or breach. This can be achieved by securing your encryption key, encrypting all sensitive data, and assessing data encryption performance.
In this era of data privacy, encryption is no longer an option and companies would do well with encrypting all their sensitive data.