On August 28, 2013, on the UK Information Commissioner’s Office’s (“ICO’s”) blog, Simon Rice, Technology Group Manager for the ICO, discussed the importance of encryption as a data security measure. He stated that storing any personal information is “inherently risky” but encryption can be a “simple and effective means” to safeguard personal information and reduce the risk of security breaches.
Rice states that a “big misconception” regarding data security concerns the belief that user logins and passwords can provide protection equivalent to encryption. “[T]his isn’t the case,” writes Rice, “[as] in practice a password can be easily circumvented and full access to the data can be achieved.” Rice sets out two key rules for organizations to follow when using encryption: (1) select an appropriate encryption method; and (2) follow common sense practices to safeguard the encryption key.
Selecting the Correct Encryption Method
The blog aims to educate organizations about encryption and the various encryption methods widely available. Rice stresses the need for organizations to understand the different types of protection that different products offer, and to select an appropriate encryption tool based on the particular facts. The ICO also recommends certain internationally-recognized encryption software standards on its website.
Safeguarding the Encryption Key
The ICO blog highlights common sense practices to protect the encryption key, such as ensuring that laptop encryption keys and passwords are not stored with encrypted laptops, and, when sending encrypted data as an email attachment, the decryption code must not be included in the body of the same email.
Finally, Rice warns of the financial and reputational risks of failing to use encryption properly, citing three recent enforcement actions relating to improper use of encryption where the ICO imposed penalties totalling £700,000.