The Key to Encrypted Data 10:14, October 13, 2016

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Our Resources

The Key to Encrypted Data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Effective January 1, 2017, California expands its data breach notification law to require consumer notice when the security of encrypted personal information is breached and the encryption key or security credential is also compromised. “Encryption key” and “security credential” mean the confidential key or process designed to render the encrypted data useable, readable, and decipherable.

Previously, California required disclosures if unencrypted personal information was acquired by an unauthorized person.

AB 2828 requires people, businesses, and state and local agencies that own or license computerized data that includes personal information to disclose breaches to California residents when:

  • their encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; and
  • the encryption key or security credential was also acquired and the agency, person, or business reasonably believes that the encryption key or security credential could render that personal information readable or useable.
    .

According to AB 2828’s August 15, 2016 Senate Floor Analysis, when California’s data breach notification law first took effect in 2003, it included a safe harbor to exempt the exposure of encrypted personal information from the notification requirement. The analysis notes:

The inclusion of an encryption safe harbor was meant to incentivize organizations to encrypt personal information under their control. However, the protections offered by encryption are significantly compromised when encrypted data is acquired along with an encryption key that can be used to decrypt the data.

As the bill’s June 20, 2016 Senate Judiciary analysis notes, recent data breaches have involved the compromise of encryption keys as well as data.

Although California was the first state to enact a data breach notification law, other states have been expanding on its principles. About half of the states already require notice when an encryption key has been accessed or acquired.

Staggering Costs of Data Breaches

A 2016 study sponsored by IBM found that data breaches now cost $4 million on average. In a blog post at Healthcare IT News, Kurt Hagerman notes that:

The compiled costs of just one breach are staggering. You’ve got the costs associated with issuing notifications, accelerated demand on customer service, credit monitoring, and any initiatives and incentives aimed at customer retention. Patients could flood the courts with class-action lawsuits, while your business partners might sue to recover the costs of their fines and breach-related costs. . . . This doesn’t even include your internal investigative costs. And, of course, regulating bodies could impose fines and penalties, including jail time.

Customers who are injured by a data breach can sue to recover damages. California considers a delay in data breach notifications to be a violation of the unfair competition law, and the California Attorney General can issue penalties of up to $2,500 for each violation. In addition, the Federal Trade Commission (FTC) has found that the failure to protect data is an unfair practice under the FTC Act.

Agencies and businesses must plan to maintain the security of private or consumer-related data. As Hagerman says, “Ultimately, the cost of recovering from a breach will always be more exorbitant than any expenses incurred in safeguarding data with the right expertise and technology.”

An IBM study, “Understanding the economics of IT risk and reputation,” found that reputation and brand damage constitute the largest financial consequence of business and IT disruptions. LawRoom’s online data security training and its white paper on effective data security training can help organizations protect their encrypted data, their customers, and their reputations.

You might also be interested in...

  • Data Security Snafu not NegligentFebruary 6, 2017 Data Security Snafu not Negligent It was a true data security horror story. Hackers, according to a recent appeals court opinion in Pennsylvania, accessed and stole confidential information of 62,000 employees and former employees of the University of Pittsburgh Medical Center (UPMC). The information included names, […] Posted in legal update, data security
  • Data Security Risks Lurking in Shadow ITSeptember 9, 2016 Data Security Risks Lurking in Shadow IT We have previously written about ransomware, password reuse, and the DNC security hacks, but this post is about a common risk that lurks in the shadows, aptly called "Shadow IT." Contrary to what its name implies, Shadow IT is not the malicious creation of hackers. Instead, it is […] Posted in data security
Christine Day
Christine Day is a legal editor at EverFi. She writes about employment law issues and tracks case law and legislative and regulatory updates. Before joining EverFi she worked in legal publishing, researching and writing about tax law, business law, and employment law. She earned her JD from the University of San Diego Law School and her BA from the University of Southern California.

Leave a Reply

Leave a Reply

White Paper
Data Security training
for employees

  |   Download White Paper

 

Compliance Course Catalog
  |   Download Catalog