One of the reasons you may be considering encryption is due to the relevant data protection regulation: either because the regulation specifies that data should be encrypted or because of the large potential penalties where there is a data breach. Some US companies have been hit by fines in the hundreds of millions of dollars following data breaches, so we are talking large sums of money. In Europe the largest fines so far (under the GDPR) have been related to misuse of personal data or consent (750 million euros is the highest I am aware of), but there have been fines of up to 30 million euros for data breaches. In the case of a breach, you could also be sued by individuals whose data has been accessed or by class action.
I’m not aware of any fines (large ones at least), or successful lawsuits, where a hacker gained access to a company’s systems but was not able to access data as it was securely encrypted. Some regulation also explicitly specifies exemptions where only encrypted data has been accessed. If you implement encryption, and do so well, you are certainly reducing your company’s financial exposure in the case of an attack successfully getting through your first lines of defense. If you implement encryption poorly though, you may not be making it too hard for attackers to get around the protection you have put in place.
It’s not really a point about regulation, but where you have a breach, you are also open to reputational damage, especially if you haven’t followed good practice. I regularly see threads on Twitter, mocking in almost disbelief, companies who haven’t protected items such as passwords in the right manner.
Most of the general regulation I’m aware of doesn’t specifically require you to encrypt data, but it may recommend that you consider it. The European GDPR (General Data Protection Regulation), for instance, recommends encryption, but does not require it. Some legislation specific to particular business sectors however does specifically require encryption; in the United States, for instance, HIPAA (Health Insurance Portability and Accountability Act) does explicitly require encryption of certain healthcare data. You need to be aware of data protection regulation that applies to the industries you are working with and understand what that regulation requires you to do.
Most countries now have some sort of general data protection regulation in place. Here are a few key ones (this is by no means a comprehensive list):
- Europe has the GDPR. Note that although the UK has left the European Union since Brexit, legislation has been passed to put pretty much the same rules (known as the UK GDPR) in place.
- The United States doesn’t have the same sort of regulation at the federal level, but there are many states that do have their own data-related laws and many others that are in the process of enacting them. The CCPA (California Consumer Privacy Act) is seen as a key player.
- Canada has PIPEDA (Personal Information Protection and Electronic Documents Act) which is quite similar to Europe’s GDPR.
- India has the Personal Data Protection bill that also has many of the same rules as the GDPR.
- South Africa has POPIA (Protection of Personal Information Act). This doesn’t align directly with the GDPR but is seen as being just as rigorous.
It’s estimated that more than 120 countries have some form of data protection regulation.
In addition to general data protection regulation there may be other requirements depending on the industry you work in. We’ve mentioned HIPAA. Here are a few others:
- In the United States, there are federal laws that apply to the processing of financial data. These include Sarbanes-Oxley and FACTA (Fair and Accurate Credit Transactions Act).
- Also in the United States, there is FISMA (Federal Information Security Management Act) specific to government agencies and those who work with them.
- In the UK, the FSA (Financial Standards Authority) imposes rules regarding the processing of financial data.
This post is part of a comprehensive series on SQL Server Encryption. Subscribe to my blog for updates as new posts are published or you can buy my book through the link in the sidebar to get it all in one go.
And if you’re embarking on an encryption project (or anything else to do with SQL Server) and want some help, I’m available for consulting – please get in touch or check out my services page to find out what I can do for you.