Attorneys

"To Encrypt, or Not to Encrypt, There is No Question"

April 13, 2015

When reviewing best practices regarding data security, clients often ask whether encryption is “worth it.” Without hesitation, I generally respond that if data is appropriately encrypted, it can make all the difference if a breach occurs. Just ask Anthem. The reason why it makes all the difference?  Under HIPAA and most state data breach laws, encryption serves as almost a ‘safe harbor’ or a ‘get out of jail free card.’ If the data that has been breached is encrypted, then it is likely not considered to be a breach because the encryption renders the data unreadable or unusable.

Interestingly, encryption is not new. Ancient Spartans reportedly encrypted important messages by wrapping leather straps around a stick, etching the message lengthwise so when the leather was unwrapped, the message was indecipherable. It was only if the end user had a stick of the same diameter that the message could be deciphered. While we have moved beyond communicating with leather strips, its seems as though businesses are increasingly realizing the value of encryption, particularly after a data breach has occurred.

Not all encryption is created equal. It is important to understand what form of encryption makes sense to your organization and what level of encryption meets your organization’s needs. Additionally, it is important that your contracts reflect your encryption expectation when working with third parties that may have access to your data. With employees utilizing their own devices, encryption becomes even more valuable and should be reflected in your policies, employee education and internal audits. Finally, when applying for cyber liability insurance, encryption may make a substantial difference in your premiums or even the availability of coverage.