In one survey after another about the adoption of cloud computing, CIOs and other technology leaders readily admit that their top concern is data security.
There is a growing number of government and industry regulations and standards designed to help protect the confidentiality of data that companies have in their care. The need for guidance in this area is obvious, as 2014 saw a record number of software vulnerabilities and actual data breaches. Unfortunately, many of the companies that experienced those breaches are now facing lawsuits filed by individuals, investors and other entities that claim they were harmed by the exposure of their information.
Companies are under a lot of pressure to maintain data confidentiality, and so they turn to an array of technologies to help secure the data. Encryption is a highly effective technology that is widely used to obscure the actual value of private or sensitive data. Most organizations that have chosen to encrypt sensitive data have done so to be proactive, to prevent the loss of real data in the event of a breach, but now many companies are asking whether encryption is actually required by law.
Until recently, the focus has been on encrypting data on-premises – within applications and databases, on laptops and desktop PCs, in transit on the network – all within an organization’s own data center and network. With so many businesses now storing data in the cloud, data is moving off-premises and is handled by third-party cloud providers. This prompts us to look at the legal case for encrypting data in the cloud. When considering encryption in the cloud, just as with encryption on-premises, it is critical to include both unstructured data (e.g. files in SharePoint), and structured data (e.g. fields in Salesforce). Both unstructured and structured data may contain sensitive information and they are equally subject to security and compliance requirements.
Please note, this document is not a substitute for official legal advice on data protection. It is strongly recommended that readers seek legal counsel to learn their specific obligations for encryption to ensure compliance with applicable laws and regulations.
How much data do businesses put in the cloud?
To say that the growth rate of data stored by cloud service providers is phenomenal would be an understatement. In its benchmark 2013 industry report “The State of Cloud Storage,” the infrastructure provider Nasuni said there was over one exabyte (1,073,741,824 GB) worth of files stored in cloud services at that time. Given the historical 30 to 40 percent annual growth rate of storage capacity, it’s a safe bet that the amount of data now stored in the cloud is approaching two exabytes. That’s phenomenal!
It’s true, there is an increasing amount of corporate data stored in the cloud. Research conducted by Skyhigh Networks shows that enterprise organizations use an average of 897 cloud services today. However, fewer than 10 percent of those services are “enterprise-ready,” which means they aren’t adequately equipped to preserve data confidentiality. The average large company uploads 86.5 GB of data to high-risk cloud services every day. Keep in mind that even enterprise-ready services can be breached, so encryption is important even for the corporate-approved cloud services.
Regulations require data protection
In and of themselves, laws and regulations pertaining to data protection and privacy do not guarantee that data breaches will not occur, and that private or sensitive data will not be exposed to unintended or unauthorized access. Nonetheless, companies that observe the regulations by putting the appropriate protective measures in place are far less likely to suffer a debilitating breach.
Over 80 countries and independent territories have adopted comprehensive data protection laws, including nearly every country in Europe and many in Latin America and the Caribbean, Asia and Africa. In the United States, there are numerous state and Federal regulations on data protection and privacy, as well as industry specific regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). Some of these regulations explicitly require data encryption, while others leave the choice of protection measures to the data guardians. Most of the regulations contain provisions for stiff penalties for inadvertent disclosure of sensitive data that can be avoided if the data is encrypted.
Let’s have a look at some of the specific regulations and what they require in terms of data protection.
U.S. state and Federal data privacy laws
In the United States, there is no all-encompassing Federal law regulating the acquisition, storage, or use of personal data. Regulatory requirements, for the most part, have been left up to individual states as well as some industry-specific requirements at the national level. This jigsaw puzzle of regulation across the country has created considerable confusion for organizations that must understand and comply with the provisions of the various laws that apply to their business.
As of March 2014, 46 states as well as the District of Columbia, Puerto Rico and the U.S. Virgin Islands all have enacted laws requiring notification of security breaches involving personal information. Most of these laws provide exemptions if data that is breached has been made indecipherable via encryption. At least 29 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable when it is no longer needed.
Here are just a few of the various state regulations and their references to data encryption:
In 2003, California became the first state in the U.S. with a data breach notification law, SB1386. The law requires organizations to notify any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The law has undergone several updates since its original enactment date. The amendment that went into effect January 1, 2015, states that organizations that experience a breach of customer information are required to provide all impacted individuals with identity theft protection and mitigation services.
In Nevada, the NRS 603A law mandates all businesses must secure confidential customer data if it is sent electronically. That same law states that any form of Internet communications must encrypt personal data, such as data transmitted to or from a cloud service.
In Massachusetts, 201 Code of Massachusetts requires companies to encrypt files containing personal information of state residents that are transmitted across public networks or wirelessly.
HIPAA and HITECH for the healthcare industry
In the U.S., there are two regulations that pertain specifically to the healthcare industry: the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
HIPAA applies to organizations that handle personal health information. This includes medical facilities, healthcare providers, health insurance plans, bill processors, and other organizations with access to sensitive patient data. The Security Rule in HIPAA specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to assure the confidentiality, integrity, and availability of electronic protected health information (ePHI). The rule does not require encryption, but it mentions the technology as a measure for protecting data at rest and in transit.
Encryption is an “addressable standard” which means it is only required where reasonable and appropriate based on a risk assessment.
While HIPAA has been in effect since 1996, HITECH was a new law signed in 2009 that has an impact on technology and how it relates to HIPAA. HITECH established breach notifications rules, such that organizations covered by HIPAA are required to promptly notify not only the individuals whose health data was affected by a breach, but also the Department of Health and Human Services, and the media if a breach affects more than 500 people. In 2013 the breach notification requirements were updated to cover any breach where there is a “risk of compromise” and not just a risk of harm. The new notification rule means that a breach notification is necessary in all situations except ones where the probability of PHI being compromised is low.
While many breaches involve unsecured laptops that are stolen, you can easily see how a breach of a cloud provider that does not encrypt data could expose thousands or millions of health records. Companies would like to avoid breach notifications because (1) they are expensive to administer, and (2) they are often followed by a wave of lawsuits by individuals who have been impacted by the breach. There is an exception to the rule; if data is made unusable, unreadable or indecipherable to unauthorized individuals, then the breach notification is not required. The regulations specifically call out encryption and destruction as the technologies and methods that render data unusable or indecipherable. In short, by encrypting personal health data, organizations can avoid costly notifications and the ensuing lawsuits in the event of a breach.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) enforces HIPAA security and privacy rules. Examples of some of the enforcement actions include:
- Concentra Health Services paid a $1.9 million fine in 2014 for violations resulting from the theft of unencrypted laptops.
- In 2012, Blue Cross Blue Shield of Tennessee paid $1.5 million in a settlement pertaining to 57 unencrypted computer hard drives that were stolen. This was the first enforcement action that resulted from a HITECH breach notification. The fine comes on top of $17 million that Blue Cross and Blue Shield had already spent on investigation, notification and protection expenses.
- OCR also fined QCA Health Plan, Inc. of Arkansas $250,000 after an unencrypted laptop containing personal health information for 148 people was stolen from an employee’s car. This example shows that breaches of even a small number of records can result in significant fines.
The bottom line is this: Although neither HIPAA nor HITECH require that data be encrypted, it’s clear that the exposure of unencrypted data can result in very hefty fines and other expenses.
PCI DSS for the payment card industry
The Payment Card Industry Data Security Standard (PCI DSS) applies to all organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. The regulations also apply to companies that aggregate or process card-based payments.
PCI DSS is enforced by the payment card industry, led by the major credit card brands such as Visa and MasterCard. While PCI DSS is not a law, per se, it carries the weight of a law for companies such as merchants whose business relies on the ability to accept credit and debit cards. If a company suffers a data breach and it is determined that the company failed to adhere to the recommended security guidelines, the penalties can include hefty fines as well as the loss of the privilege of accepting credit and debit cards for payments.
Throughout the lengthy guidelines for PCI DSS 3.0, encryption is consistently listed as an important measure for protecting cardholder data at every stage of the payment process regardless of where the process takes place—on premises, in the cloud, via public or private networks, etc. This applies to data at rest in storage or in transmission. For example, it’s a requirement to “encrypt the transmission of cardholder data across open, public networks,” such as when cardholder data is moving to and from a cloud service provider.
FERPA for educational institutions
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. In recognition of the fact that schools, school districts, postsecondary institutions, and State educational authorities must maintain personally identifiable information (PII) regarding minors in their in education records, FERPA requires “a sound data security program” that protects both data at rest and data in transmission. Written agreements with service providers who handle the data should specify required data security elements, including requirements related to encryption.
European data privacy laws
In the European Union (EU), the main legislation on protecting data relating to people derives from the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. Whether an organization is based in the EU, has branches in the EU, or provides services to EU residents, it needs to understand and conform to EU data protection laws. An organization is responsible for ensuring that data is not compromised, either maliciously or inadvertently. What’s more, if data is lost by a third party (such as a cloud service provider), the organization will be held responsible.
The current EU Data Protection Directive is vague on the matter of encryption. It simply states that “appropriate” security measures must be implemented to protect private data. However, several EU member states such as Spain, Italy, France, Austria and Belgium have gone beyond the EU Directive to require encryption for certain categories of data. For example, the Spanish law states that high security measures apply to all databases containing sensitive information and include tougher access control and data encryption when transferring the data.
The upcoming EU General Data Protection Regulation, set to replace the original Directive in 2015, will have even stricter penalties for violation of the law—up to 5% of a company’s annual revenue or up to €100 million, whichever is higher. However, there is a provision in the law that states that companies will not be liable if data is made indecipherable using encryption.
In the current Directive, the organization that collects the data from individuals, called the data controller, is solely liable for the appropriate care of the data. If the controller transfers the data to a cloud service and the data is breached, the controller is liable for the penalties. The new Regulation states that a third party that processes the data – such as a cloud service provider – also assumes liability when it takes possession of the data.
Recent research conducted by Skyhigh has shown that not many cloud providers meet the requirements of the upcoming EU law, see the blog post Only 1 in 100 Cloud Providers Meet Proposed EU Data Protection Requirements.
What the U.S. courts say
A 2011 data breach of Sony Gaming Networks was a turning point in the legal argument over security and the encryption of personal data. In a hacking attack that occurred between April 17 and April 19, 2011, personally identifiable information from approximately 77 million accounts was stolen. Sony was subsequently hit with numerous lawsuits and fines alleging that the company failed to adequately protect personal and financial information.
Many of the lawsuits were dismissed; however one notable case survived. This is the case of In re: Sony Gaming Networks and Customer Data Security Breach Litigation, case number 3:11-md-02258, in the U.S. District Court for the Southern District of California. The court recognized the legal duty to provide security, further finding that: “As a result, because Plaintiffs allege that they provided their Personal Information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their Personal Information, including the utilization of industry-standard encryption, the Court finds Plaintiffs have sufficiently alleged a legal duty and a corresponding breach.
The case was settled for $17.75 million. Perhaps more significantly, this case has been referenced by four new lawsuits filed in December 2014 about Sony’s most recent data security breach in late 2014.
Sony is certainly not alone in its litigation pertaining to a data breach.
The 2014 Home Depot credit card breach has already spawned 56 lawsuits, including this one that alleges: “Home Depot also failed to properly encrypt its customers’ data in violation of the PCI and industry standards. Strong encryption measures are necessary so that if data is improperly accessed it would be unusable and indecipherable to criminals who want to use it for illegal purposes. The rapid availability of Home Depot’s customers’ unencrypted data on the black market means Home Depot was either not encrypting the data at all, or using lax encryption standards that allowed thieves to quickly and easily decrypt it.”
As a technology, encryption can vary greatly from one implementation to the next. In other words, not all encryption is created equal. This fact has significance in a lawsuit against the digital marketing and media company Adobe Systems Inc. In 2013 Adobe experienced a breach of PII for as many as 38 million users and subsequently was named as a defendant in a lawsuit.
The suit alleges that Adobe’s encryption methodology was not sound and that “Adobe promises its users that it will provide ‘reasonable administrative, technical, and physical security controls’ to protect their PII and represents that it uses industry-leading security practices to do so, but Adobe’s actual security practices are substandard in the industry and continue to result in breaches of Adobe’s networks and software.”
The complaint also states: “According to one security website, Adobe’s encryption method was so weak that with very little effort researchers were able to recover a lot of information about the compromised data, including identifying the top five passwords precisely, the 2.75% of users who chose them, the compromised accounts’ password hints, and the password length of nearly one-third of the nearly 150 million user database.”
Legal experts believe these cases have opened the door to future lawsuits involving breaches of personal information. In a post on Law360, attorneys Michael Buchanan, Michelle Cohen, and Ben Rossen of the firm Patterson Belknap Webb & Tyler LLP wrote: “In light of the continued proliferation of data breaches, litigation in this area is likely to grow. Although the majority of courts have held that allegations of injury in the absence of misuse of data are insufficient to establish Article III standing under Clapper, the Adobe and Sony decisions are proof that the issue is far from settled.”
Which cloud services encrypt data?
As companies rely more and more on cloud services to store and process sensitive data and PII, it’s clear that there is a need for strong security technologies and practices that will protect data in the event of a breach. For an enterprise, it can be a challenge to discern the security practices of all of the various cloud services that employees use—especially if the organization isn’t fully aware of which services are in use.
Skyhigh tracks the security controls of over 10,000 cloud services in a cloud registry, assessing more than 50 attributes of enterprise readiness. Skyhigh’s latest cloud adoption and risk report found that only 10% of cloud services encrypt data at rest; 78% of cloud services encrypt data in transit; but only 1% encrypt data using customer-managed encryption keys.
This last point is very significant. If a cloud provider manages the encryption keys on an organization’s behalf, then this third party can access the data. What’s more, encryption keys owned by the cloud provider could be lost in a breach. However, encryption with the organization’s own keys ensures that no unauthorized third party can access the data in the cloud.