Several privacy laws, including the EU General Data Protection Regulation and some U.S. state laws, carve out an "encryption exception." If a company encrypts its data but the key to access the data was not compromised, the thinking goes, the encryption renders the data unreadable, and hence, "there is no reasonable likelihood of harm to the data subjects, and the theft incident does not actually meet the legal definition of a data breach," writes InfraGard General Counsel Kelce Wilson, CIPP/E, CIPP/US, CIPM. He posits, rather, that "a proper analysis should reflect the reality that encrypted data is vulnerable to compromise in a number of different ways." In this post for Privacy Tech, Wilson previews a more in-depth white paper for the IAPP in which he presents several scenarios and corresponding vulnerabilities that could compromise encrypted data and result in a data breach.
Full Story
Comments
If you want to comment on this post, you need to login.