Strategic Security: Can Encryption Exemption Save Your Job?

Exposing your customers' personal data is sure to put you in the doghouse, particularly if you are legally obligated to notify customers of the breach. But an encryption exemption, which is written into nearly every state breach notification law, may be the difference between a public relations nightmare and a disaster averted.

The encryption exemption, a provision common to nearly all those breach laws, lets organizations forgo the notification requirement if the personally identifiable information (PII) was encrypted at the time of the unauthorized disclosure. However, the encryption exemption hasn't been tested in courts. We don't know what judges will require to prove the data was encrypted at the time of disclosure. Some statutes, such as New York's, disallow the encryption exemption if the keys were also disclosed. Others don't have this seemingly common-sense provision, though courts may be willing to read it into the statute.

In addition to the legal complexities, enterprise encryption systems are notoriously difficult and expensive to implement. Even if you are willing to accept the cost and complexity, your investment can be compromised by poorly trained employees who use the system improperly or fail to use it. If you end up in litigation, the opposing party will likely try to show that the employee may not have properly encrypted the data.

Thus, before investing in an encryption system, identify departments, projects and individuals that store and use PII. Unless you have executive leadership that is progressive on the issue, you'll probably be operating in triage mode--try to identify the most prevalent and riskiest users of PII. Those with a mandate and more resources can mount an exhaustive corporatewide effort. After you've inventoried your organization's PII and its users, develop a multistaged plan to minimize the risk of a breach notification triggering event. The eventual goal? Encrypt the data.But first and perhaps even more important is to train and educate PII users on the risks and appropriate safeguards. Effectively implementing policy is a necessary prerequisite to technical solutions. Moreover, through training you can often avoid risky PII practices or issues such as laptop theft (a common reason for lost data) in the first place without having to invoke the encryption exemption.

Next, minimize the collection of PII when it's gathered or when it's extracted from a master database for a secondary use. For each data field, the PII user must be able to justify with business reasons that outweigh the risk of a breach notification event. Another goal is to minimize the retention of PII. Vague notions of the future value of data mining customer or client data doesn't justify keeping PII without a current business requirement. Regulated businesses may need to train and certify users who deal with PII.

For PII users performing market research or analyzing data, consider anonymizing the PII. Data derived from research results obtained on a flight from Denver to Los Angeles can always be run through a re-identification process back at the home office. But if your laptop disappears while going through airport security, it's game over--you can start printing those disclosure notices and setting aside funds to subsidize the cost of credit-monitoring services for the data subjects.

Remain flexible about your technology choice. The breach statutes don't dictate encryption methods, algorithms or key lengths. A lightweight approach may be sufficient; for instance, when it comes to laptops, virtual disk-encryption products may rank higher on performance and usability compared with whole disk solutions.

Minimizing the risk of triggering a notification requirement is never easy. As with other data security goals, shore up your process and policy efforts, and rely on the encryption exemption as infrequently as possible.Patrick R. Mueller is completing his law degree and a master's degree in public affairs at the University of Wisconsin-Madison, specializing in privacy and data security law and policy. He was previously a senior analyst for security consultancy Neohapsis. Write to him at [email protected].