With the increased rate of data breaches targeting personal information, an increased public awareness of online privacy, and an increasingly demanding regulatory landscape, large and small businesses are looking to additional forms of security to protect themselves and their customers from unauthorized access. These efforts have largely targeted preventing unauthorized access via different types of access control, like firewalls, strong passwords, anti-malware, two-factor authentication and data sandboxing. However, businesses must also plan for the failure of these technologies. In the event that unauthorized individuals gain access to sensitive data, businesses are increasingly turning to data encryption to safeguard the data itself.
What is encryption?
Encryption is a way of “scrambling” data in such a way that without a key to “unscramble” it (or decrypt it), the data is unreadable. There are various forms of encryption, each with its own benefits and drawbacks, but generally, they all serve the same purpose: to reversibly randomize the data to make it unreadable to unauthorized individuals.
The strength of an encryption key is measured in “bits.” The number of bits represents the number of characters (1’s and 0’s) in the encryption key. Thus, the commonly used standard AES 128-bit encryption is composed of a string of 128 1’s and 0’s used to encrypt and decrypt the data. Because each bit can be either a 1 or a 0, to attack such a password by attempting to guess the key, one would have to guess that key out of the 2128 possibilities. This puts attacks using raw computing power to guess the key — known as brute force attacks — out of the reach of most common modern computer systems. That said, the march of technology continues and computer systems are continually growing in strength and power. As a result, 192- and 256-bit encryption systems are becoming more common, making brute force attacks on these keys exponentially more difficult.
When is encryption Important?
With the rise in data breaches (and the expense associated with such breaches), all businesses should consider encrypting any private, confidential or sensitive information, but particularly those industries where sensitive data protection is of a legal consequence. Attorneys, for example, handle confidential and privileged client data on a regular basis. Of additional concern is ABA Model Rule 1.1 which has recently been amended to include the requirement that an attorney has the duty “to stay abreast of changes in the law and practice includes understanding the benefits and risks of relevant technology.” With the rise of encryption as a standard form of data protection in many industries, it is important for attorneys to not just understand encryption. Someday soon, attorneys may be expected to encrypt privileged client data to comply with their professional responsibilities.
In addition to the legal field, healthcare has an affirmative requirement to protect “personal health information” under federal and state HIPAA statutes. In 2013, the Department of Health and Human Services published a Final Rule modifying the Federal HIPAA rules that explicitly anticipates that covered entities will employ encryption systems to protect patient data.
Outside of those industries where data protection is required by professional standards or the law, encrypting key data should also be a concern for those industries where data protection is critical to the success of the business. For those industries heavily involved in technology, research and development efforts are often a large portion of business spend. In such industries, protecting key technological data is increasingly important to protect business advantages. Businesses and even sovereign states are actively involved in technological espionage. One way to prevent your company’s key technology from falling into the hands of your competitors is to encrypt that information. It may also be a good idea to extend such encryption protection to information about who in your company is responsible for developing your technology to prevent key employees from being poached by competitors.
Encryption is also increasingly important because of the prevalence of entry points to a business’ networks. More recently, manufacturers of connected devices around the home, increasingly referred to as “the internet of things” or “IoT,” are being scrutinized and found to lack encryption or sufficiently secure connections. As a result, devices that may be as simple as a connected light bulb, which can change color or be operated by a cell phone app, can provide intruders with unlimited access to a wireless network. While this may not be a serious issue in the home, should these devices be deployed in a business environment, they can represent real threats to the integrity of a business’ network security.
Encryption, despite its benefits in protecting sensitive data, is not without its pitfalls and considerations. First and foremost, it is not a “free” technology. Whenever data is encrypted and decrypted, it takes significantly more computer power than when unencrypted. When entire databases are encrypted, and large files are regularly read, this encryption can add up in terms of computational and electrical requirements for servers and personal systems, and, on older hardware, may degrade overall performance.
Encryption systems are also vulnerable to inconsistent application. When encrypted data is sent between systems, it may be encrypted when created and when transmitted, but once it reaches its destination, it may be stored in an unencrypted format, unbeknownst to the sender. When employing an encryption system to protect data that is shared with or received from other entities, it is important to understand where the encryption begins and where it ends.
Finally, as with any digital security system, the weakest link is often the human user. Data encryption usually relies on a password. This password is used to initiate the use of the key in decrypting the data. Weak passwords are as much a vulnerability to an encrypted set of data as they are to user accounts, email accounts, servers, and any other computer system. Such weak passwords are the most common reason that encrypted data may be compromised. Ensuring that strong passwords are used (i.e., passwords that are of sufficient length and complexity) in conjunction with encryption technology can greatly increase the effectiveness over using encryption alone. Thus, it is important to remember that encryption can only be a single part of a more comprehensive and multi-part security system employed to protect data.
At Thompson Coburn, we have a team of data privacy and cybersecurity attorneys who are experienced in assisting companies evaluate their ability to prevent and react to data breaches. We can assist with a review of the security procedures implemented in a business’s day to day operations, help design an incident response plan, assemble an incident response team and assist in making sure your business is best prepared for any unauthorized access to its data. We would be happy to answer any questions you may have regarding this article or any other data security or cyber security issues.
If you or your company have questions about this topic, please do not hesitate to contact us.