Will California Mandate The Use of Encryption When Transmitting Confidential Data Via Email?

Don Miller

Several years ago, IT and business managers were surveyed about their managed file transfer usage.  An astoundingly high percentage of those surveyed (over 70%) were still transmitting data unencrypted, even data of a sensitive nature.  From a data security perspective, this type of conduct is a definite no-no.

Fast forward to 2013, and it seems that not much has changed.  Consider, for example, a recently released data breach report  from the California Attorney General.  The AG analyzed data breach information compiled pursuant to a law requiring companies to report on data breaches affecting more than 500 state residents.  The AG’s report identified 131 data breach incidents occurring in a single year that put the personal information of 2.5 million individuals at risk.

The report also contains recommendations for improving data security.  The number one recommendation focuses on data encryption: “Companies should encrypt digital personal information when moving or send­ing it out of their secure network … The Legislature may also want to consider requiring the use of encryption to protect personal information in transit.”

The California AG explained the reasoning behind this recommendation:  “Far too many people continue to be put at risk when companies do not encrypt data in transit.  More than half of the Californians affected by data breaches reported to the Attorney General in 2012 – fully 1.4 million – would not have been put at risk if the data had been encrypted.”

If the California AG has her way, all California organizations would be required by law to use encryption to protect personal information when transmitted in an email or over the Internet.  The California AG even went so far as to suggest an appropriate encryption standard—FIPS 197, the National Institute of Standards and Technology’s standard approved for U.S. Government organizations to protect higher risk information.

The California AG issued a statement following release of the report in which she emphasized how serious she is about data security:  “Data breaches are a serious threat to individuals’ privacy, finances and even personal security.  Companies and government agencies must do more to protect people by protecting data.”

All levels of government are obviously paying closer attention to data security.  Thus, it’s time for all companies and government agencies to review their processes for transmitting data on portable devices and in emails.  bTrade can help in that regard.  If you want to speak with our data security experts, please contact us at info@btrade.com.