Data Encryption: Since no one is holding a magic mirror, it’s pretty easy to look at the numerous data privacy regulations across the entire planet and in individual US states, and see the accelerating trend around data privacy protection and compliance enforcement. Yet more regulatory bodies are setting up rules to protect the personal information of the customers and the sensitive data that have been used in enterprises.
While organizations should certainly adhere to best practices for safeguarding private information, having to prove compliance with a data privacy regulation brings data security to a radically unique level. To the long-standing reputation risk and loss of customers, instantly add hefty fines compounded against multiple eager enforcement agencies.
Organizations need to include a strategy in place to ensure compliance with current data privacy requirements and more regulations that are sure to come, as well as the variations between the numerous regulations across states and nations. Those organizations which are proactive in securing data throughout their environments will until then, be steps ahead of competitors as regulations come into force.
For example, the California Consumer Privacy Act (CCPA), the California Law protecting consumers from mismanagement of their personal data by companies doing business in California. Data Encryption is specifically called out as the robustest defense (along with data redaction) against data loss.
As an extra incentive to encrypt data, CCPA applies data breach sanctions only if companies fail to protect personal data with data encryption or redaction. If personal information is secured with appropriate data encryption and data security measures, it cannot be used by unauthorized parties, so consumers are left unharmed and there is no basis to penalize organizations.
Under CCPA, doing something that is a worthy idea anyway, encrypting personal information, can now literally save an organization million of dollars. CCPA damages may include a penalty of $100 to $750 per consumer per incident, or substantial damages, whichever is greater.
Now consider the example of the landmark 2017 Equifax data breach that compromised the personal information of 146 million consumers. If that happened today the CCPA fines would conceivably start at $14.6 billion. However, CCPA exclusively applies data breach sanctions if companies fail to protect personal data with data encryption or redaction. Secure the data, avoid the fine. Suddenly, every CFO expresses a newfound interest in data security.
CCPA is indeed a landmark piece of consumer privacy legislation, and the strongest such privacy legislation seen in any US state but other states are following suit and there are now more than ten states with comprehensive data protection laws that range in status from being in the committee to be signed into full-fledged law, with three states having data protection regulation laws in place.
While these regulations broadly follow the structure and content of CCPA, there are likely to be some specific variations from state to state, all of which will need to be supported by organizations who process confidential data there. This is another reason why implementing a general-purpose technology like data encryption can be so valuable, as it can enable compliance with the broadest set of requirements.
More regulations are on the way, and those companies that consider proactive steps now to better safeguard the privacy of data will be better equipped for these future regulations, while of course better protecting their own and customers’ private information.
One can see how this all plays out in another example of data privacy regulation, the European Union General Data Protection Regulation (GDPR) has been in effect since May 2018, and is a statutory framework that sets guidelines for the collection and processing of personal information from those who live in the EU. Just as other US states have followed California’s lead for regulation around data privacy, GDPR has become a model for many national regulations beyond the EU.
While GDPR does not specifically call out data encryption as a method toward compliance and avoiding fines like CCPA does, both regulations share in their aim of protection or preservation of data that organizations collect, for example, backups and archives, where data encryption can ensure important privacy measures.
GDPR has more than an 18 month head start on CCPA, which has provided an opportunity to observe the direct consequences of the law. GDPR violations have been aplenty and rolling in fast. From October 2018 through December 2019 more than 30 fines had been levied for GDPR violations. We can expect to receive the same with CCPA following the start enforcement in July 2020, with primary violators highly publicized.
Whether or not called out explicitly or acknowledging the benefits, data encryption is a crucial technology that protects sensitive data and personal information, enables compliance, and helps avoid significant financial and business loss from data privacy regulation violations.
It’s then, while data are encrypted and data encryption keys are secure, private data is rendered useless for attackers. Do not wait for an attack or breach to discover the power of data encryption – data encryption holds the key to the safety and security of an organization’s most valuable data.