Personal information protection has to cover information wherever it is and wherever it is going.
The practice of encrypting portable devices, portable media and electronic communications (including email messages and their attachments) is commonplace. While this may have been a cutting-edge idea or a leading practice just a year or two ago, in 2010, the encryption of personal information at rest and in transit should be standard operating procedure.
…the encryption of personal information at rest and in transit should be standard operating procedure.
In some of the emerging regulations, such as those from Massachusetts and Nevada in the US, certain categories of personal information must be encrypted in specific circumstances, such as their transfer using email over the internet.
Where not a direct requirement, according to most breach notification laws, encrypted information that is lost does not commonly require notification. In 2010, this exclusion applies also to the HITECH Act notification requirements over protected health information.
This is another reason for many organizations — including those that do not neatly fall within the health care industry, but handle information for its members — to apply encryption where it is warranted.
For many organizations, the use of encryption is not new. In fact, it has been part of the protection of specific systems and processes that have given rise to a wide patchwork of encryption tools, technologies and solutions. Eclectic as they are, each adds to the increasing challenge of encryption key management and brings technical limitations in applying them across different systems and operations.
For many such organizations, it is no longer the mere addition of encryption — the benefit of enhanced protection over personal information — that is the goal; it is the effective use of encryption technology.
For many organizations, encryption will come to mean maturing and streamlining the use of existing procedures and solutions. It will also mean identifying specific tools and applying them consistently by:
- Upgrading from folder-based to full-drive encryption of portable media for better coverage
- Using encryption technology less reactively — not on an issue-by-issue basis, but rather more holistically, with an eye on the organization’s broader compliance and risk management needs
Ask yourself
With an eye on encryption, have you:
- Identified encryption solutions for the security of portable media and communications containing personal information?
- Identified opportunities to manage those solutions more effectively so encryption can be more commonly available and cost effective?
- Inventoried your systems and information to identify where encryption solutions will be most relevant for compliance and risk management?
