Since South Dakota passed their data breach notification law earlier this year I have been looking and reviewing the breach notification laws across the US. All 50 states now have enacted such legislation, but over the course of the years not much progress has been made in one important aspect of the statutes: there is no consistent definition of the encryption standard across the states that have either: defined a safe harbor for encrypted data; or attempted to define encryption.
Several states include a safe harbor for encrypted data to the notification requirements, such as “if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable”(1) or “when the name and data elements are not encrypted”(2) . Many more states include encryption in the definition of breach such as, “[b]reach of the security of the system means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity.”(3) But, only two states define the encryption standard in an objective manner to provide concrete guidance to businesses.
There are many ways in which computers can manipulate and encrypt data and computers can very quickly and efficiently incorporate a number of different computer techniques. But, however the data is altered, encryption techniques use a key - either an asymmetric or symmetric key - to encrypt data. Symmetric encryption techniques mean the same key is used to both encrypt and decrypt the message. Asymmetric techniques involve two different keys – one to encrypt the data and one to decrypt the data. The strength of any encryption technique is based on two things – the size of the key used to encrypt the data (the longer the better) and the number iterations the encryption algorithm is performed on the data.
The techniques and the keys have been become more and more complicated over the years as computers have evolved. Newer and faster computers have created a need to continuously update and improve encryption techniques. The encryption techniques of 20 years ago are now considered obsolete. As an example of obsolescence, an early form of computerized data encryption was the Data Encryption Standard (DES). DES used a 56-bit encryption key and performed 16 iterations of encryption. DES was fantastic it its day, but in 1998 a computer was created to perform a brute force attack against DES and it was successful. Now, most modern computers could attack a DES encrypted system.
National Institute of Science and Technology (NIST) is the government organization which standards for encryption. The current encryption techniques recommended by NIST require a minimum key length of 128-bit. There are even algorithms which use keys up to a key length 1024-bit, but 128-bit key is the recommended minimum.
Of the two states that define how encryption is to be completed, one defines the encryption key to be used (128-bit, Massachusetts (4)) and one refers to the standards set by NIST (Washington (5)). Of the other 48 states, several refer to “transformation of data through the use of an algorithmic process into a form in which there is low probability”(6) of reading or decrypting the data, but the vast majority do not even attempt to define what encryption standard to use. And what may be considered a low probability in one jurisdiction may not be accepted in another jurisdiction.
Every company needs to review the encryption standard they use to protect their data and the data of their customers to ensure adequate protection. The algorithm used should at least be a 128-bit key and should adhere to the minimum NIST requirements whether or not the statute requires it. All encryption is not equal and courts may not accept your definition of encryption even if your state does not have a minimum encryption standard. To review your encryption standard, contacts a Sioux Falls, Sioux City, or Omaha lawyer today.
Endnotes:
Mo. Rev. Stat. § 407.1500 (9)
Neb. Rev. Stat. §87-802 (3)
Neb. Rev. Stat. §87-802(1)
Massachusetts Gen Laws Ch. 93H, §1(a)
Was. Rev. Code §19.255.010(7) “encrypted in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person.”
- Va. Code §46A-2A-101(3)
Let Us Know What You Thought about this Post.
Put your Comment Below.