Encryption Laws

What happens after I hit send?

The legal and regulatory environment for most businesses increasingly requires a focus on protection of customer data. New data breaches are reported on an almost daily basis, and companies spend billions of dollars each year dealing with data breaches. A leading study in data breach costs found that in 2011, the average per incident cost to a company of a data breach was around $5.5 million, or a per customer cost of nearly $200. Malicious attacks made up more than one third of total breaches reported in the study, and those breaches also proved to be the most costly.

As national and local regulators have become more educated about the security of non-public information, the number of laws addressing data security has rapidly grown. As set forth below, more than two dozen states in the United States alone have enacted laws requiring companies to notify customers and take other remedial steps in the event of a data breach. Fifteen states have laws that require either a secure connection or the encryption of social security numbers during transmission.

HIPAA requires certain healthcare providers to implement technical safeguards to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, including encryption of data where appropriate.

Under the Gramm-Leach-Blilely Financial Services Modernization Act of 1999, financial institutions must follow the Safeguards Rule, which requires that they develop an information security plan to ensure the security and confidentiality of customer information. The FTC, for example, recommends institutions consider encrypting information that is transmitted.

The IT Control Objectives of Sarbanes Oxley similarly state that when appropriate, public companies should ‘determine if encryption techniques are [to be] used to support the confidentiality of financial information sent from one system to another.

Many countries around the world have similar laws.

European Union Directive 95/46/EC, Chapter I, Article 17 requires that Member States provide that the controller implement appropriate technical and organizational measures to protect personal data against accidental or unlawful or unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network.

A 1999 Royal Decree from Spain requires that any sensitive data may only be transmitted through telecommunications networks if it has been previously encrypted or made illegible to any unauthorized third party.

Many companies have worked to ensure the security of their data stored within the enterprise. However, in an environment in which company personnel more frequently bring their own devices, the question remains: ‘what happens after I hit send?