Nobody can prevent data from being stolen, but encryption can at least prevent attackers from using stolen data. This is a fundamental security rule for companies – but it still is not being followed by many. And because the numerous warnings of the data protectors did not seem to change anything in the past, lawmakers now move to force companies to encrypt their sensitive data corresponding to laws and EU regulations. Half a dozen legal projects are currently in the pipeline. When they will be implemented and which technical procedures will be demanded is still uncertain. However, one thing is already certain: anyone who does not adhere to them is facing high fines and even imprisonment.
Virtually every company, authority or organisation will be affected by these projects. According to iX magazine, whistleblower Edward Snowden is to blame for the fact that encryption laws are now on their way. As an NSA employee, he had access to sensitive data, which he – much to the NSA's dismay – stole and published. NSA's security measures at the time were only aimed at external attackers. Snowden was an administrator, so he could easily overcome these barriers. Companies and organizations often underestimate the dangers from within. However, if their data were encrypted with intelligent solutions, even administrators would not have access to the sensitive data.
Consistent encryption is not really a problem: After all, there is already an obligation to encrypt sensitive data for professionals like tax consultants, lawyers, notaries and auditors, which is clearly regulated in § 203 StGB. According to this, these professional groups are allowed to process their data in the cloud but must prove that they have adequately protected it. And this only works with secure encryption – even if this is not explicitly stated in the law. The same applies to medical professionals and pharmacists covered by the eHealth Act or public institutions whose IT is regulated by the eGovernment Act. The industries to which the IT Security Act applies – so-called critical infrastructures – must also protect their sensitive data. These are, for example, information technology, telecommunications, energy supply and the food sector. The following applies to all industries: encryption is not explicitly mentioned in any of these laws. Nevertheless, it will no longer be possible to avoid it in the future. Especially not with the planned legal requirements. If they come into force, transport encryption or half-hearted e-mail encryption alone will no longer suffice.
Pseudonymization is expressly recommended in the DSGVO. This means that the data is made unrecognizable by substituting sensitive values with type-conform nonsense data, for example by tokenization. Companies are therefore well advised to choose a solution that can both encrypt and pseudonymize. This is how they achieve DSGVO compliance in any case. If this solution is also easy to install and does not require any changes to client or server systems, this is all the better.
iX believes that the widespread use of encryption will only succeed when the applications have become more user-friendly. There are many encryption solutions that securely encrypt data in the cloud, but break important user functions like searching or sorting. After all, the only data stored in the cloud has been made unrecognizable, so for a simple search query for an unencrypted term cannot work. Other important functions are simply no longer supported. Customers are asked to choose between two evils: storing unencrypted data in the cloud and running the risk of data theft, thus incuring a heavy penalty, or storing encrypted data in the cloud with no option to use important functions. A difficult decision for which there is a simple solution: An encryption solution like the eperi Gateway that is so smart that it both implements measures to still provide the important functionalities and makes no compromises regarding the encryption – at Rest, in Transit and in Use.
Ease of use is an important criterion, but can it be the only one for or against encryption, given the number of data breaches in recent weeks, months and years? The question companies and authorities now have to answer is: do they really have to have laws in place before they can make data protection a corporate goal? Sooner or later, they won't be able to avoid encrypting sensitive data anyway.