The Key to Encrypted Data
Effective January 1, 2017, California expands its data breach notification law to require consumer notice when the security of encrypted personal information is breached and the encryption key or security credential is also compromised. “Encryption key” and “security credential” mean the confidential key or process designed to render the encrypted data useable, readable, and decipherable.
Previously, California required disclosures if unencrypted personal information was acquired by an unauthorized person.
AB 2828 requires people, businesses, and state and local agencies that own or license computerized data that includes personal information to disclose breaches to California residents when:
- their encrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person; and
- the encryption key or security credential was also acquired and the agency, person, or business reasonably believes that the encryption key or security credential could render that personal information readable or useable.
According to AB 2828’s August 15, 2016 Senate Floor Analysis, when California’s data breach notification law first took effect in 2003, it included a safe harbor to exempt the exposure of encrypted personal information from the notification requirement. The analysis notes:
The inclusion of an encryption safe harbor was meant to incentivize organizations to encrypt personal information under their control. However, the protections offered by encryption are significantly compromised when encrypted data is acquired along with an encryption key that can be used to decrypt the data.
As the bill’s June 20, 2016 Senate Judiciary analysis notes, recent data breaches have involved the compromise of encryption keys as well as data.
Although California was the first state to enact a data breach notification law, other states have been expanding on its principles. About half of the states already require notice when an encryption key has been accessed or acquired.
Staggering Costs of Data Breaches
A 2016 study sponsored by IBM found that data breaches now cost $4 million on average. In a blog post at Healthcare IT News, Kurt Hagerman notes that:
The compiled costs of just one breach are staggering. You’ve got the costs associated with issuing notifications, accelerated demand on customer service, credit monitoring, and any initiatives and incentives aimed at customer retention. Patients could flood the courts with class-action lawsuits, while your business partners might sue to recover the costs of their fines and breach-related costs. . . . This doesn’t even include your internal investigative costs. And, of course, regulating bodies could impose fines and penalties, including jail time.
Customers who are injured by a data breach can sue to recover damages. California considers a delay in data breach notifications to be a violation of the unfair competition law, and the California Attorney General can issue penalties of up to $2,500 for each violation. In addition, the Federal Trade Commission (FTC) has found that the failure to protect data is an unfair practice under the FTC Act.
Agencies and businesses must plan to maintain the security of private or consumer-related data. As Hagerman says, “Ultimately, the cost of recovering from a breach will always be more exorbitant than any expenses incurred in safeguarding data with the right expertise and technology.”
An IBM study, “Understanding the economics of IT risk and reputation,” found that reputation and brand damage constitute the largest financial consequence of business and IT disruptions. LawRoom’s online data security training and its white paper on effective data security training can help organizations protect their encrypted data, their customers, and their reputations.