What is encryption and what does it protect?
Encryption is the process of encoding information so that it cannot be accessed by unauthorized persons. If your company’s encrypted data is leaked, anyone who steals or finds the data will not be able to read it, as it is unintelligible without the proper decryption key.
Many people are not aware that a lot of information is already protected by encryption technology. For example, online shopping and internet banking would not work without good encryption. Encryption is designed to protect money and personal information. As for the business environment, encryption should be used to protect your company’s intellectual property and know-how as well as the personal data you process within your company.
Intellectual property and know-how can include the products or services created by your company. They can also be the methods you use to successfully sell those products, or the processes used to ensure that they function effectively throughout their life cycle. Similarly, they may include business and marketing plans for the next calendar year. All this information can be monetized or misused by a cyberattacker or thief.
Personal information that your company collects and processes may include information about your customers and employees. You are required by law to protect access to such data, as stipulated by the European Union's General Data Protection Regulation (GDPR).
GDPR and encryption
The GDPR defines personal data. These include names and surnames, photographs, email addresses, phone numbers, account numbers, fingerprints and voices. This regulation, which has been in force in all EU member states since May 25, 2018, describes encryption as a safeguard against reputational risk.
Imagine that one of your employees loses a USB key that contains a list of your customers. According to the GDPR, you should inform all the people on the list about the incident. They may perceive the data breach as a reason to change supplier. However, the obligation to notify these persons does not apply if their personal data has been encrypted.
Do you know what to do if your company has leaked personal information?
Obligation to notify the regulator:
You have to report any personal data breach to the relevant data protection authority. This obligation applies not only to major incidents, such as large database leaks, but also to minor mistakes. For example, if you mix the contents of envelopes intended for two different recipients erroneously, you must report it.
You have to notify the relevant supervisory authority about the incident within 72 hours from the moment you become aware of it, so not from the moment the incident occurred. However, if this time limit is not met, the delay in notification (i.e. the reasons the breach was not reported within 72 hours) must be justified.
Obligation to notify affected individuals
In more serious cases, apart from notifying the data protection authority, you must also inform the individuals whose data have been affected by the incident. However, this step is not required if the incident occurred after your company had implemented appropriate technical and organizational security measures, in particular those that render the personal data unintelligible to any person unauthorized to access it. The rather complicated legal term “technical measures” refers to encryption.
Possible fines related to GDPR
Failure to fulfil the obligation to report a data breach to the relevant supervisory authority is punishable by a fine of up to €10 million or, in the case of a company, up to a maximum of 2% of its annual worldwide revenue from the previous financial year. In addition to a high financial penalty, the data protection authority may also enact the following:
- a temporary or definitive limitation, including a ban on processing of personal data
- deletion of personal data
This means that you could either lose all the contacts for your existing customers, or your company could be temporarily banned from storing such data.
Data breaches affect businesses of all sizes
Many businesses believe that they are not vulnerable to cyberattacks or data breaches because of their small size and limited assets. Unfortunately, this is not the case: according to analysts IDC, small and medium-sized businesses are the victims of more than 70 percent of security breaches. But the good news is that companies do not need to report cyberattacks unless personal data has been compromised or leaked.
Because of the false impression that other businesses do not face cyberattacks, companies may feel ashamed or fear negative attention if they report an attack.
ESET has observed that for the first year after the GDPR came into force, the supervisory authorities in Europe were still familiarizing themselves with the new rules. It is likely that they will now impose more fines.
However, experience shows that if affected companies cooperate, they tend to receive lower penalties. It also appears that if your company is not an internet giant, you are unlikely to get a maximum-level fine.
We therefore recommend that organizations always observe the notification obligation, cooperate with the supervisory authorities and educate their employees on what personal data is and how it should be protected.
ESET encryption solutions
ESET Endpoint Encryption protects sensitive data on corporate devices by means of encryption. It provides encryption of files and folders, emails and attachments, removable media, virtual disks as well as the entire disk. It is easy to use, offers full remote control of encryption keys and requires no server for deployment. Get a 30-day free trial and try ESET Endpoint Encryption in your company.