Encrypting Your Databases: What's the Law?

You already know that the biggest digital security risks for any business is a data breach. The rise in number of ransomware attacks around the world show that cyber crime is growing, and that it’s more important now than ever before to ensure that your sensitive company data is secure and that your organization maintains compliance with all federal and state laws and guidelines.

But for companies that hold customer or employee Personally Identifiable Information (PII), it doesn’t end when their systems are recovered. Pennsylvania law requires any breach of PII to be reported to the Attorney General, applicable state agencies, and any individuals whose data may have been compromised.

In other words, if you’re breached, it’s time to get your checkbook out and get ready for the lawyers.

A data breach like this can be costly and difficult to recover from, not to mention the damage it can do to your relationship with your clients and the trust your employees place in you. So, what can you do?

To avoid the headache of personal information being leaked by a data beach, any files that hold PII need to be placed in storage that has encryption at rest. Things like

• 401k information and safe harbor census
• Photocopies of driver’s licenses
• Customer information and customer credit card information
• I9 forms
• W2 information

What is encryption at rest?

Generally speaking, there are two types of data: data in motion and data at rest. Data in motion is data that you’re likely to use on a daily basis. Data at rest is stored- usually inactive- data, meaning it’s not actively moving from device to device or network to network. This type of data is often targeted by hackers who know it can be easy to access, and that it’s often personal information. Encryption at rest keeps this stored data safe, making sure that even if it falls into the wrong hands, it’s secure.

By the way, password protecting your Excel or Word documents and limiting folder permissions is not considered secure encryption at rest.

How does encryption at rest work?

Encryption is the process of translating one form of data into another form of data that unauthorized users can’t decrypt. In the case of encryption at rest, it prevents the visibility of your data at rest in the event of its unauthorized access or theft. This happens by using a mathematical algorithm that scrambles the data and can’t be unscrambled without a password “key.” Without the key, a hacker would need about two centuries to decode it. Only authorized personnel will have access to these files, meaning your data stays secure.

Know the law

Pennsylvania- and many other states- specifies that a business must provide prompt notification to individuals if a breach of personal information- like someone’s name, social security number, credit card information, driver’s license, etc.- occurs. Meaning that if your business data is hacked or stolen, you’re responsible for telling your customers and employees, along with government reporting agencies. However, the use of encryption, such as encryption at rest, may modify the notification rules.

Don’t want to be put into the awkward position of telling the people that trusted you with their information that you screwed up? Encrypt your data! It’s vital to use encryption at rest, but encryption that allows you to security protect your data can be useful to other aspect of your business information, as well.

Want to begin setting up encryption at rest for your sensitive business data, or want to know how else you can use encryption to keep your business safe? Call us at (610) 601-8017 and let’s talk. And remember to check out the rest of our blog for more tips!