One of the leading causes of data breaches continues to be the loss of company-issued devices, all the more perplexing when you consider encryption. This article will explain what encryption is, how to deploy it, and the legal fallout for businesses who fail to implement it.
The Case of the Stolen NASA Laptop
In 2012, NASA made headlines for all the wrong (and same) reasons. A thief broke into a NASA employee’s car, stealing the employee’s NASA-issued laptop in the process. The laptop contained sensitive personally identifiable information on a “large number” of people, later found to be at least 10,000 employees. A relatively inconsequential inconvenience turned into a huge problem when the federal agency discovered the laptop’s hard drive wasn’t encrypted. The aftermath was costly to the tune of nearly $960,000 of taxpayers’ dollars. Money that was spent on a variety of fronts: notifying suspected victims, providing credit monitoring for these victims, and implementing an agency-wide encryption of all NASA hard drives. A simple mistake that ultimately turned into a million dollar headache.
What Is Encryption and How Does It Work?
Encryption is the process by which data in readable (known as “plaintext”) format is converted into indecipherable code (aka “ciphertext”). Once a device is encrypted, the only way a person can decode and read the device’s contents is by way of a secret key (referred to as a decryption key) or password.
For every device a company issues to its employee, encryption should be a baseline data security measure. Password protection is not enough. Even if a company device requires a password, criminals have various means by which they can nonetheless extract information. Although encryption doesn’t completely immunize an owner from any and all digital threats, it significantly reduces the risk of someone gaining physical access to a particular device.
A variety of encryption softwares are available, but the easier and more practical encryption options come built-in on almost any computer. Take Apple, for example. Apple’s Mac comes built in with an encryption program called FileVault. Enabling FileVault providers the user with full-disk encryption, and helps prevent the unauthorized access of the hard drive’s contents (Apple offers a step-by step tutorial on how to ensure FireVault is on). For Windows users, laptops typically have encryption turned on by default. Moreover, the more recent Windows laptops give users the option to use the built-in encryption tool, BitLocker (Windows instructions for BitLocker).
To summarize, a highly effective security tool used to protect data is free. Yet in spite of this, companies consistently fail to take advantage of encryption all while employees lose laptops, USBs, or other devices full of sensitive information. An easily preventable mishap can quickly turn into a costly legal nightmare.
The Consequences of Losing an Unencrypted Device
The loss of a company-device implicates a number of different legal scenarios:
1. Data Breach Notification
Plain and simple, an employee’s loss of an unencrypted device filled with personally identifiable information triggers security breach obligations. All fifty states and the District of Columbia now have data breach notification statutes. These laws require a company to notify victims (and in some instances, regulators and credit bureaus, too) in the event personally identifiable information is inappropriately made available. However, notification obligations do not apply under what’s commonly referred to as the “encryption safe harbor.” Found in all breach notification statutes, the encryption safe harbor allows companies to avoid data breach obligations so long as: (i) the data was encrypted; and (ii) the unauthorized person did not acquire the encryption key as to render the data readable. The “encryption safe harbor” represents a “get out of jail” free card from the costly process of notification for companies who have lost devices full of sensitive information.
2. General State Data Protection Laws
An assortment of states have statutes that generally address corporate data security obligations. The vast majority of these laws lack specificity as to what companies must do. Instead, the laws require that companies adopt “reasonable” data security measures. Nevertheless, Nevada explicitly requires that companies use encryption in certain circumstances. Nevada law § 603A.215 requires businesses to encrypt both electronic transmissions and data storage devices which contain personal information. This means a company who does not utilize encryption in an e-mail or device transmitting or storing personal information is in violation of the law.
3. FTC Enforcement Actions
The FTC has sued a company who failed to use adequate encryption measures. In a 2016 case against a dentist office, the FTC took issue with the fact that Henry Schein Practice Solutions did not encrypt patient data even in light of promises to do so. The FTC found that the dentist office’s marketing materials were replete with promises of “encrypted patient data.” The penalty for such misrepresentations was a $250,000 fine. Instead of lying about how information is stored, companies should simply go ahead and use encryption.
With technology now allowing more work flexibility than ever before, encryption provides a great safety net for situations in which employees lose work devices. Free, easily deployable, and with virtually no downside to its use, encryption goes a long way towards mitigating the legal risks concerning the loss of sensitive information.
Are you a business owner with cyber security questions? Are you in need of a more complete understanding of your organization’s data security risks? Contact us today.
Follow me on Twitter @CyberSecureAtty