8 Types of Data You Definitely Need to Encrypt
With the increasing amount of personally identifiable information (PII) and protected health information (PHI) that businesses and organizations collect, encryption has become not just a best practice but part and parcel of a complete cybersecurity strategy.
Long are the days when effective data encryption was seen as an added cost. PII and PHI data is very valuable to threat actors and with the average cost of a data breach hitting an average of $4.35 million in 2022, the cost of not protecting sensitive data is costly.
Understanding Encryption at a High Level
At a high level, encryption is a technique used to protect information from being accessed by unauthorized individuals. It involves transforming clear data into an unreadable code that can only be decoded through a specific reverse process, often using a “key” to facilitate decryption as a form of authentication.
To ensure that encrypted data remains secure, encryption methods rely on complex transformations that make it virtually impossible to reverse those transformations and access the original data.
When it comes to protecting personal information, encryption is one of the most effective tools available. By encrypting data, businesses can ensure that even if hackers do manage to access this sensitive information, they will not be able to read it. This makes it much more difficult for criminals to use this data for identity theft or other malicious purposes. Additionally, encrypted data can still be useful for business analytics and other purposes, even though the actual content of the data is hidden.
If you’re looking to encrypt your PII data, here are a few tips to get you started. First, consider what type of encryption you need. There are two main types of encryption systems: symmetric and asymmetric.
Symmetric encryption is faster and easier to implement, but it uses the same key for both encrypting and decrypting data. Asymmetric encryption, on the other hand, uses a different key for each process, which makes it more secure. However, it can be more difficult to set up and use effectively.
Factors Driving Encryption
In addition to the catastrophic consequence of a data breach, another reason why you should be encrypting data is regulatory compliance. Some regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, General Data Protection Regulation (GDPR), and others make specific references to encryption while others such as the Gramm-Leach-Bliley Act (GLBA) don’t mandate encryption but highly recommend it.
Q&A on Data Encryption
The following table provides short answers on some of the frequently asked questions on data encryption (Table 1).
Question | Answer |
What tools can I use to encrypt sensitive information? | Different encryption tools use different encryption algorithms based on the keys used, key length, and the size of encrypted data blocks. The most common algorithms are AES, RSA, TripleDES, Blowfish, and Twofish. |
What is end-to-end encryption? | End-to-end encryption (E2EE) is a secure communication method that ensures only the sender and the receiver can access data shared from one system/device to another. The sending device encrypts the data, and only the receiving device can decrypt it. Any third party, including a hacker, cannot access this data. |
What is encryption at rest? | Encryption at rest is an increasingly common cybersecurity strategy that protects stored data that isn’t actively transiting from one device/user to another. Even if cybercriminals are able to penetrate your other cyber defenses, they wouldn’t access encrypted data at rest, which is often their main goal. Any company that stores highly sensitive data such as PII, PHI, and financial records should consider encrypting its data at rest. |
Table 1. Frequently asked questions and answers on data encryption.
8 Different Private Data Types That Require Encryption
Following are eight different private data types that organizations must encrypt to ensure regulatory compliance and integrity of business operations and their supply chains.
Personally Identifiable Information (PII)
Most organizations have some form of personally identifiable information (PII) that they must keep safe from cybercriminals and rogue nation-states. Data privacy regulations such as GDPR in the European Union, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and the California Consumer Privacy Act (CCPA), among others, require organizations to track, control, and protect PII in motion and at rest.
Protected Health Information (PHI)
Healthcare organizations are obviously a key cyber target when it comes to protected health information (PHI). But as PHI is managed by many HR departments, protecting PHI and complying with respective regulations applies to every industry sector. PHI can be exchanged between systems used by healthcare providers to treat patients. It can be captured on a mobile app and sent or shared with various patient systems. And once PHI is received, it is stored on any number of systems—on-premises to the cloud—in the format in which it was received.
Encryption—from email, to file sharing, to managed file transfer, to web forms, to application programming interfaces (APIs)—is a requirement for organizations seeking to protect PHI from malicious data breaches and to comply with industry and government regulations like HIPAA that require PHI and ePHI data to be encrypted when it is at rest. In addition, organizations must use encryption or other transport layer security (TLS) protocols when sending and sharing PHI. This includes email encryption.
Financial Records
GLBA protects people’s nonpublic personally identifiable financial information (PIFI) from being mishandled by financial institutions. This includes sensitive data like addresses, Social Security numbers, and income but also extends to more details like deposit amounts, loan information, and payment history that might enable the identification or validation of personal financial information.
Even though encryption is not an explicit requirement of GLBA, it is one of the best practices for protecting data at rest and in transit. Under the Safeguards Rule, issued by the FTC as part of the implementation of GLBA, companies must keep customer information secure. And the Pretexting provisions in the same Act stipulate that companies should guard access to personal information through false pretenses such as scams.
Encryption ensures that institutions can protect financial records from authorized access and maintain the integrity and confidentiality of their customer’s data.
HR Data
Unless you’re a sole trader, every company has employees, and this comes with a large amount of sensitive data that must be protected. HR-related data includes PII and financial records. HR data also includes private information such as contracts, timesheets, sick notes, and more.
This information could be immensely useful to hackers, to be sold on the darknet, held for ransom, or used for other nefarious purposes. Much of this digital information is sent and shared between different parties and systems within organizations as well as with third parties—including individuals and systems.
For example, when a contract with a consultant ends, sensitive content related to the termination is sent, shared, received, and stored. This digital exchange creates opportunities for bad actors to hack the private data and exploit it in malicious ways. Additionally, in some organizations, wage slips, timesheets, and sick notes are also transferred to and from applications, such as HR, payroll, finance, and other systems, via managed file transfer (MFT).
Commercial Information
Information on customers, details of contracts with suppliers, and documentation related to offers and tenders are just some of the commercial data types that every business will possess in one form or another. Some of this information may qualify as PII or financial records. In other instances, it is confidential contracts, request for proposal responses, and other sales-related content.
Exposing any of this commercial content could have a negative impact—from revealing confidential information to competitors to exposing potential legal liabilities and risks. This information often is sent via email, but it also is exchanged via file sharing. Further, much it gets stored in ERP, CRM, and other systems through MFT. In all these instances, standard governance policies and encryption should be employed.
Legal Information
The amount of legally relevant information that needs encryption can be large and wide-ranging. For example, email discussions between board members revealing future strategies, investments, and merger and acquisition activities are highly confidential and must be encrypted. Correspondence on legal cases, including collaboration on legal briefs, between corporate counsel and outside counsel is highly sensitive and organizations must ensure all communications and content are encrypted—protected from malicious exploit. The list of potential legal use cases is extensive.
Controlled Unclassified Information (CUI)
Controlled unclassified information, or CUI, is a term used by the United States government to describe sensitive but unclassified information. Although this type of information is not classified, it still requires special handling and protection from unauthorized access or disclosure. Securing CUI is essential to national security and the safety of government employees and contractors. CUI includes information that, if released, could damage national security or endanger public safety.
While some types of CUI must be encrypted by law, all CUI should be encrypted to protect against unauthorized disclosure. According to the U.S. Department of Defense (DoD), all CUI that has not been approved for public release and is stored at rest in removable storage devices or on mobile devices should be encrypted. A good example of where CUI protection is mandated is found in the Cybersecurity Maturity Model Certification (CMMC) 2.0 that governs DoD contractors and subcontractors and ultimately will determine if a contractor and/or subcontractor can conduct business with the DoD.
Information on Mergers and Acquisitions (M&A)
The importance of data encryption in mergers and acquisitions cannot be overstated. In today’s digitized business world, data is one of the most valuable commodities a company owns. When two companies merge, or one acquires another, there is a huge amount of data that changes hands. This includes financial information, customer lists, intellectual property, and trade secrets. If this information falls into the wrong hands, it could be disastrous for the companies involved. As a result, organizations must encrypt all data before it is transferred—both internally and externally—during a merger or acquisition. Doing so helps ensure that it remains private while maintaining compliance with government and industry regulations.
The importance of securing sensitive M&A information is accentuated by high-profile cases in recent years where private data was released—resulting in everything from the cancellation of M&A activities to fines and penalties.
Kiteworks Private Content Network for Data Privacy and Compliance
Data encryption helps you improve your data security posture, meet regulatory compliance, and build trust with your customers. Organizations must strive for the right platform to keep their data secure, both when it is at rest and in motion, through encryption and other cybersecurity technologies and best practices.
The Kiteworks Private Content Network encrypts each piece of sensitive content that is sent or shared with a unique, strong key at the file level and with a different strong key at the disk-level volume. This ensures that each file is double encrypted. Further, file keys, volume keys, and other intermediate keys are encrypted when stored.
Organizations can configure centralized governance and security policies with Kiteworks across all their communication channels to ensure sensitive content that is sent and shared, internally and externally, remains private and moreover compliant with different regulations.
Schedule a custom demo of Kiteworks to see how the Kiteworks Private Content Network extends privacy and compliance control across all your communication channels.
Additional Resources
- Webinar How to Address the Biggest Gap in Your Zero-trust Strategy
- Case Study Learn How Mandiant Protects Sensitive Content That Enables Them to Protect Businesses Worldwide
- Webinar How Automated Email Encryption Delivers Improved Privacy Protection and Compliance
- Blog PostMost Secure File Sharing Options
- Blog PostHIPAA And Encryption
- GlossaryData Sovereignty
- GlossaryData Compliance Standards
- GlossaryAES Data Encryption