Published: May 2018

Several privacy laws, including the EU General Data Protection Regulation and some U.S. state laws, carve out an "encryption exception." If a company encrypts its data but the key to access the data was not compromised, the thinking goes, the encryption renders the data unreadable, and hence, "there is no reasonable likelihood of harm to the data subjects, and the theft incident does not actually meet the legal definition of a data breach." In this white paper, InfraGard General Counsel Kelce Wilson, CIPP/E, CIPP/US, CIPM, presents several scenarios and corresponding vulnerabilities that could compromise encrypted data and result in a data breach.