Latest news
- Shoosmiths recruits new corporate team in Manchester
- OFT report: The high cost of credit
- EDS v BSkyB: Businesses' salutary reminder as dust settles
- Short term occupation with long term consequences
- New work as RP presentations prove a big hit
- CPI, SPA, default retirement age: Ones to watch in the coming months
See more Press releases
RSS news feeds
Home | News & events | Legal updates | Encryption: Being used when it should...if at all?
Encryption: Being used when it should...if at all?
29 January 2009
Following several recent high profile losses of personal data, businesses are increasingly concerned about their duties under the Data Protection Act 1998.
And the development of extended networking capabilities, remote access and transportability of data is highlighting the importance of protecting commercially sensitive data or other confidential information such as intellectual property and know-how. It is no surprise, therefore, that businesses are reconsidering the adequacy of their information security policies.
Encryption has long been used by governments and in the military to protect national secrets and communications. In fact, encryption techniques have been discovered dating back to ancient Egypt, where scribes used hieroglyphic substitution methods to disguise messages.
More recently, the Enigma machine is a famous example of the use of encryption. With the expansion of the volume of electronic data, coupled with the availability of mass storage capabilities, use of encryption technologies has now become a daily occurrence for most people, though perhaps unbeknownst to the majority.
Applications using encryption technologies include USB flash drives, mobile telephones, wireless networks, bank automatic teller machines, and, of course, systems for digital rights management.
But though encryption technologies have many advantages, in business a lack of understanding and misuse of such technologies can seriously undermine their effectiveness and value.
How it works
Encryption transforms coherent and understandable information (text, sounds or images) into information which can only be understood by those possessing special knowledge. The special knowledge is known as a ‘key’, akin to a password. Encryption does not hide information, it merely scrambles it, and it is a common misconception to believe that data security is achieved once it has been encrypted.
Encryption works using mathematical algorithms and a key to transform the original data – the ‘plaintext’ – into a scrambled set of information – the ‘ciphertext’. Decryption is the reverse process – the transformation of ciphertext back into plaintext.
The two main types of encryption mechanisms are symmetric key encryption (SKE), and public key encryption (PKE).
In SKE, both the sender and the receiver use the same key, and careful key management is essential. In PKE, the receiver generates two keys, which are connected but computationally unfeasible: an encryption key (the public key) which is freely distributed to anyone who wants to send him confidential information, and a decryption key (the private key), which the receiver retains and keeps secret. Only the private key can decrypt data encrypted using the public key.
Therefore, the receiver can be confident that only he can easily decrypt and understand the confidential message sent to him. Fortunately, there is a vast selection of encryption tools available to shield the end user from complex cryptographic details.
Data Protection Act 1998
Encryption is fundamental to compliance with the seventh principle of the Data Protection Act 1998 (DPA), which requires that appropriate technical and organisational measures be taken to prevent unauthorised or unlawful processing or loss of personal data.
A recent Ministry of Justice press release confirmed that the Information Commissioner’s Office (ICO) is to be given tougher powers to regulate the DPA, including the imposition of monetary penalties on data controllers for deliberate or reckless loss of data.
Data stored on handheld and mobile devices such as laptops is particularly vulnerable to loss or theft, and the ICO recommends that portable devices used to store and/or transmit personal information should be protected using approved encryption software.
The ICO will not hesitate to take enforcement action where such precautions have not been taken given the recent high profile losses of personal data. For example, the ICO issued an enforcement notice against Marks & Spencer requiring all its laptops’ hard drives to be encrypted. As encryption standards are constantly evolving, periodic reassessments are essential.
Commercially sensitive information
If used correctly, encryption can also be an effective mechanism for protecting commercially sensitive information or other confidential information in the event of loss or theft. This could include intellectual property or information relating to an organisation’s customers, suppliers, accounts, forecasts etc. It could also extend to third party data received further to contractual arrangements or in the course of a due diligence exercise pursuant to which confidentiality obligations were imposed.
The loss or theft of such third party information could potentially lead to an action for breach of contract. Clearly, the extent of the protection afforded by the encryption relies on the measures adopted to enforce the confidentiality of the key used to decrypt the information, and the strength of the encryption algorithm itself.
This underlines the importance for businesses to have comprehensive information security policies to identify and address the risks. This is arguably even more relevant to company directors whose fiduciary duty to exercise reasonable care, skill and diligence could feasibly extend to adopting and implementing appropriate mechanisms for protecting confidential company information against loss or theft.
Regulation of Investigatory Powers Act 2000
Those using encryption need to be aware that designated public authorities have the power in certain limited circumstances to require the disclosure of encrypted information in an intelligible form.
The request is made through a Section 49 notice. If the information is not provided, the key can also be requested. Failure to make the required disclosure is a criminal offence punishable by imprisonment. It is also an offence to warn someone they are about to be served with a Section 49 Notice. A system should be established to allow a business to recognize and develop a procedure for dealing with such requests.
Our advice
Recent cases have shown that loss of personal data can generate substantial media interest. To avoid damage to reputation resulting from data losses, businesses should maintain and, most importantly, enforce an up-to-date information security policy to protect confidential information.
The extent of such a policy would naturally vary depending on the nature of an organisation’s business activities and dealings. In essence, the policy should impose measures and processes proportional to the level of risk of loss or theft of confidential company information, and the likely consequences in the event of such a loss or theft occurring.
Use of encryption technologies is likely to feature substantially in an organisation’s information security policy, particularly to ensure compliance with the Data Protection Act 1998, and to protect confidential company – or third party – information.
In the case of company directors, it may also be required to satisfy their fiduciary duties. Given the rate at which technology advances, information security policies should be frequently re-assessed to meet current standards to ensure compliance with contractual and statutory requirements.
© Shoosmiths. This page is for general information: it is not legal advice. Please read our full terms and conditions for details of the disclaimers and exclusions which apply.
Search the site
Enter the keywords below to search:
Get in touch
Jonathan Cathie
Solicitor
T: 03700 86 6840
I: +44 (0)1489 61 6840
E: jonathan.cathie@shoosmiths.co.uk