January 2021
Encryption, often described as the art and science of hiding information, plays a variety of roles in maintaining the security and privacy of data. Encryption primarily ensures the confidentiality of information, and it can be used to further enforce access and use restrictions.
Encryption is widely acknowledged to be a fundamental aspect of the reasonable security necessary to protect personal information, and encryption solutions are an important aspect of the modern digital enterprise. Some regulations, such as U.S. Internal Revenue Services (IRS) Publication 1075, require certain types of information to be encrypted using specified technology while the information is in storage or being transmitted over the internet. Other regulations, such as the GDPR and CCPA, don’t require encryption, but do recognize the important role it plays in securing personal information.
In addition to direct guidance from regulatory authorities, courts were considering whether data should be encrypted long before the GDPR and CCPA were enacted. Courts often observed that encryption was an industry standard practice for confidential information, providing greater relief from liability to companies that had encrypted data when compared to those that had not. These prior holdings are now reflected in laws like the CCPA and GDPR. For example, the CCPA protects companies from certain types of lawsuits in the event of a data breach if the information in question was encrypted and the person with unauthorized access did not have the encryption key. And the data protection authorities of the European Union, represented in the Article 29 Data Protection Working Party, provide guidance that “encryption is therefore absolutely necessary and irreplaceable for guaranteeing strong confidentiality and integrity.”
Encryption strategies for legal compliance can vary based on the state of the data as well as its classification. Data is generally considered to be in one of three states: in transit, at rest, or in use. Data in transit is actively moving from one network to another, such as when it is moved from local storage to a cloud-based storage account. Data at rest is inactive data that is not actively moving between networks, such as data stored on a hard drive, device, or cloud storage account. Data in use is data that is actively being processed.
Encryption of data in transit—particularly personal information—is largely viewed as an absolute requirement for the protection of confidentiality. When at rest, there are a range of security measures other than encryption that can be implemented to protect against unauthorized access, modification, or deletion. In these cases, encryption is seen as less of a requirement for protecting personal data provided that other measures are implemented in its place. For enterprises that are storing personal information of those covered by the CCPA, however, encryption of data at rest can limit legal actions in the event of a data breach and should be considered as part of a legal mitigation program regardless of any additional security measures in place.
NetApp offers an array of encryption solutions, depending on which products or services you use. These cover both hardware and software encryption, at either the volume or disk level, as well as encryption key management for the administration of the keys used to encrypt and decrypt data.
For customers of NetApp Cloud Data Services, encryption is managed under the shared responsibility model, with storage-level encryption executed through the applicable cloud storage provider. Our public cloud services provider partners offer their own encryption solutions: Amazon Web Services, Microsoft Azure, and Google Cloud.
