All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Some states go even further and mandate specific encryption requirements under their “safe harbor” provisions. Massachusetts and Rhode Island, for example, require “128-bit or higher” encryption. Mass. Gen. Laws Ann. ch. 93H, § 1(a) (Westlaw 2018) (effective Oct. 31, 2007); 11 R.I. Gen. Laws Ann. § 11-49.3-3(a)(2) (Westlaw 2018) (effective July 2, 2016). California, Colorado and Maine require use of a “generally accepted” encryption methodology. Cal. Civ. Code § 1798.82(i)(4) (Westlaw 2019) (effective Jan. 1, 2017); Colo. Rev. Stat. Ann. § 6-1-716(1)(d) (Westlaw 2018) (effective Sept. 1, 2018); Me. Rev. Stat. Ann. tit. 10 § 1347(2) (2017) (effective Sept. 12, 2009). Under Tennessee law, the encryption method must comply with “the current version of the Federal Information Processing Standard (FIPS) 140-2.” Tenn. Code Ann. § 47-18-2107(a)(2) (Westlaw 2018) (effective Apr. 4, 2017). Companies therefore must carefully analyze their encryption practices to evaluate their risk and meet their obligations pursuant to certain reporting requirements.
Adequate encryption is not one-size-fits-all, and navigating the various state data breach notification statutes can be daunting. Experienced attorneys who understand complex technical practices like encryption, and have counseled clients on the patchwork of data breach laws, are key to developing best practices for protecting PII in alignment with legal considerations and applicable reporting requirements.