What are the legal obligations to encrypt personal data?
A new report by UK-based law firm FieldFisher details legal obligations for encryption of personal data resulting from both industry compliance regimes, such as PCI DSS, national laws and local regulations.
Driven by relentless news about cyber threats, security breaches and data loss, lawmakers and regulators the world over are increasingly defining new obligations for data security. Encryption requirements have been a prominent focus for the resulting new regulations, becoming a mandatory requirement for personal and financial data. In some cases, requirements have extended beyond encryption to include data access controls and threat pattern recognition.
“Persistent, high profile stories about organizations who have failed to adequately protect personal data from today’s enhanced levels of cyber threats are causing legislators and regulators globally to mandate stricter, more detailed protection requirements,” said Phil Lee, partner with FieldFisher, and editor of the report.
“We are witnessing a unique legal phenomenon; there is a global convergence of data security law and regulation around the issue of encryption so that it does not matter where in the world your organization operates – regulators everywhere increasingly expect encryption of sensitive data, computers, databases and applications.”
Some key points from the report:
- In Europe, overlapping mandates from European Union (EU) and national governments across the continent result in variations in requirement by jurisdiction. Meeting standards in this environment requires both a top down and bottom up review for global organizations
- Access rights and intelligent pattern recognition to private data protected by encryption are starting to take hold as parts of PCI DSS, ISO 27001 and as a result of EU jurisprudence rulings
- In the USA, overlapping federal regulations (HIPAA, GLBA, FCRA, SOX, FISMA), NIST standards for federal agencies, FTC expectations and 47 US State laws result in multiple drivers for the same requirement set – Encrypt personal and financial data, control access.
“While encryption is an important element in securing information, it should not be seen as a panacea to all security issues. Forcing companies to focus on encrypting data could result in those companies overlooking other critical areas of security such as monitoring of system logs, perimeter security, and ensuring staff receive effective security awareness programs. Encryption protects data at rest and while it is in transit, however when it has to be processed it has to be decrypted,” said Brian Honan, CEO at BH Consulting and Special Advisor to Europol Cybercrime Centre.
“Encrypting sensitive data is important but it would be better if companies were obligated to take a comprehensive approach to protecting sensitive data entrusted to them and not just to focus on one element,” Honan added.