Strategic Security: Can Encryption Exemption Save Your Job?

Exposing your customers' personal data is sure to put you in the doghouse, particularly if you are legally obligated to notify customers of the breach. But an encryption exemption, which is written into nearly every state breach notification law, may be the difference between a public relations nightmare and a disaster averted.

The encryption exemption, a provision common to nearly all those breach laws, lets organizations forgo the notification requirement if the personally identifiable information (PII) was encrypted at the time of the unauthorized disclosure. However, the encryption exemption hasn't been tested in courts. We don't know what judges will require to prove the data was encrypted at the time of disclosure. Some statutes, such as New York's, disallow the encryption exemption if the keys were also disclosed. Others don't have this seemingly common-sense provision, though courts may be willing to read it into the statute.

In addition to the legal complexities, enterprise encryption systems are notoriously difficult and expensive to implement. Even if you are willing to accept the cost and complexity, your investment can be compromised by poorly trained employees who use the system improperly or fail to use it. If you end up in litigation, the opposing party will likely try to show that the employee may not have properly encrypted the data.

Thus, before investing in an encryption system, identify departments, projects and individuals that store and use PII. Unless you have executive leadership that is progressive on the issue, you'll probably be operating in triage mode--try to identify the most prevalent and riskiest users of PII. Those with a mandate and more resources can mount an exhaustive corporatewide effort. After you've inventoried your organization's PII and its users, develop a multistaged plan to minimize the risk of a breach notification triggering event. The eventual goal? Encrypt the data.