On January 1, 2014, California implemented an amendment to its breach notification law. The law applies to companies doing business in California that experience a security breach exposing personal information. Under the amendment, “personal information” has been expanded beyond financial and medical information to include online account credentials such as user names and email addresses when lost in combination with passwords and security questions and answers. However, the law includes a safe harbor clause that negates company liability if the personal information is encrypted.
It is almost impossible for businesses to guard completely against data leakage, whether it’s an external hack, lawful interception, or human error. Faced with this reality, the only option for businesses is to use encryption to insulate against the impact of a data breach and avoid penalties. However, enterprise leaders need to remember that encryption is never a “one size fits all” technology, and for many it raises concerns over complexity and performance. There is a big difference between deploying encryption in laptops versus networks, storage systems, databases or applications.