Encryption Holds the Key for Avoiding Fines from Data Privacy Violations

While no one holds a crystal ball, it’s pretty easy to look at the numerous data privacy regulations both around the globe, and in individual US states, and see the growing trend around protecting data privacy and enforcing compliance. More and more regulatory bodies are establishing regulations to protect consumers’ personal data and confidential information that is used in organizations.

While organizations should certainly adhere to best practices to safeguarding private information, having to prove compliance with a data privacy regulation brings data security to an entirely different level. To the long-standing reputational risk and loss of customers, now add hefty fines compounded against multiple eager enforcement agencies.

Organizations need to have a strategy in place to ensure compliance with current data privacy requirements and more regulations that are sure to come, as well as the variations between the different regulations across states and nations. Those organizations which are proactive in protecting data throughout their environments will already be steps ahead of competitors as regulations come into force.


Take for example the California Consumer Privacy Act (CCPA), the California law protecting consumers from mismanagement of their personal data by companies doing business in California. Encryption is specifically called out as the best defense (along with data redaction) against data loss.

As an extra incentive to encrypt data, CCPA applies data breach sanctions only if companies fail to protect personal data with encryption or redaction. If personal information is protected with appropriate encryption data security measures, it cannot be used by unauthorized parties, so consumers are left unharmed and there is no basis to penalize organizations.

Under CCPA, doing something that is a good idea anyway, encrypting personal information, can now literally save an organization millions of dollars. CCPA damages may include a penalty of $100 to $750 per consumer per incident, or actual damages, whichever is greater.

Now consider the example of the landmark 2017 Equifax data breach that compromised the personal information of 146 million consumers. If that happened today the CCPA fines would conceivably start at $14.6 billion. However, CCPA only applies data breach sanctions if companies fail to protect personal data with encryption or redaction. Protect the data, avoid the fine. Suddenly, every CFO has a newfound interest in data security.

CCPA is a landmark piece of consumer privacy legislation, and the strongest such privacy legislation seen in any US state; but other states are following suit and there are now more than ten states with comprehensive data protection laws that range in status from being in committee to being signed into full-fledged law, with three states having data protection regulation laws in place.

While these regulations generally follow the structure and content of CCPA there are likely to be some specific variations from state to state, all of which will need to be supported by organizations who process confidential data there. This is another reason why implementing a general-purpose technology like encryption can be so valuable, as it can enable compliance with broadest set of requirements.

More regulations are on the way, and those companies that take proactive steps now to better protect the privacy of data will be best equipped for these future regulations, while of course better protecting their own and customers’ private information.

One can see how this all plays out in another example of data privacy regulation, the European Union General Data Protection Regulation (GDPR) has been in effect since May 2018, and is a legal framework that sets guidelines for the collection and processing of personal information from those who live in the EU. Just as other US states have followed California’s lead for regulation around data privacy, GDPR has become a model for many national regulations beyond the EU.

While GDPR does not specifically call out encryption as a method toward compliance and avoiding fines like CCPA does, both regulations share in their aim of protection or preservation of data that organizations collect, for example backups and archives, where encryption can ensure important privacy measures.

GDPR has more than an 18 month head start on CCPA, which has provided an opportunity to see the direct consequences of the law. GDPR violations have been aplenty and rolling in fast. From October 2018 through December 2019 more than 30 fines had been levied for GDPR violations. We can expect to see the same with CCPA following the start enforcement in July 2020, with first violators highly publicized.

Whether called out explicitly or understanding the benefits, encryption is an important technology that protects sensitive data and personal information, enables compliance, and helps avoid significant financial and business loss from data privacy regulation violations.

When data is encrypted and encryption keys are secure, private data is rendered useless for attackers. Do not wait for an attack or breach to discover the power of encryption – encryption holds the key to the safety and security of an organization’s most valuable data.

What’s Hot on Infosecurity Magazine?