Encryption: Best practices for meeting your legal obligations

What does it mean to "encrypt" information? And how does an organization know whether its existing encryption protocols are sufficient?

The Protection of Personal Information and Electronic Documents Act (PIPEDA) imposes an obligation on businesses to use security safeguards to protect personal information in a manner appropriate to the sensitivity of the information. Amongst the various forms of safeguards, Principle 4.7 states that methods of protection should include technological measures, such as using passwords and encryption.

In its guidance to businesses on preventing and responding to privacy breaches, the Office of the Privacy Commissioner (OPC) also encourages using encryption for laptops and portable media. This obligation will almost certainly continue in the new federal legislation before Parliament aimed at replacing PIPEDA.

This article sets out some general information on encryption and best practices for organizations to consider from a legal perspective. We strongly encourage readers to consult with their trusted cyber security and information technology professionals to address their organization's unique needs.

What is encryption?

Encryption is a key component of the digital economy. It allows for secure data transfers by transforming content into an enciphered text and subsequently deciphering that text back into the original content using a specific key. Encryption can also protect information at rest, such as when stored on an encrypted database or drive.

There are two main forms of modern encryption: symmetric and asymmetric.

Symmetric encryption uses the same key to encrypt and decrypt content, while asymmetric encryption uses a public key for encryption and a separate private key for decryption.^[1] Anyone who wants to send encrypted content to a user can download the public key (e.g. from their website) and use it to encrypt the message. However, another user cannot decrypt the message unless they have the sending user's private key.^[2]

Understanding encryption standards

There are several encryption standards available, such as:

• Advanced Encryption Standard (AES)
• Data Encryption Standard (DES)
• Twofish
• Rivest Shamir Adleman (RSA)
• Elliptic Curve Cryptography (ECC)

Each form of encryption has varying use purposes, pros and cons. An organization's use of each form will depend on several factors such as data sensitivity, user requirements, desired functionality and cost.

From a legal standpoint, there is relatively limited guidance in Canada regarding encryption standards. There appears to be little case law on the topic, and PIEPDA does not dictate a specific encryption form or standard. The latter is not surprising given the use of fair information principles in the Act in addition to the exponential rate of growth and change in information technologies.

In a recent investigation,^[3] the OPC commented on the respondent's failure to use encryption to secure its database and data. Rather, the organization stored sensitive personal information in shared folders that were widely accessible to employees.

While the respondent noted the threat actor accessed an administrator account (meaning encryption would not have prevented the malicious actions), the OPC indicated that:

1. An administrator does not necessarily need to have access to all encryption keys.
2. An organization can segment the access and permissions of administrators to minimize the impact of any one account being compromised.

The OPC wrote:

"[E]ncryption of corporate data is a standard best practice, and in the case at hand, where the records included sensitive personal information, we would have expected encryption to be in place."

In another investigation, the OPC commented on a hotel chain's failure to apply encryption consistently to sensitive personal information obtained from its guests, including passport numbers and payment card numbers. The OPC noted that the hotel chain used AES-128 for the encryption of most payment card numbers, though it did not provide further comment on this encryption standard.^[4]

In yet another investigation,^[5] the respondent identified it used 128-bit SSL encryption for data in transit, which it asserted was a security standard similar to those found in the banking industry. However, there was no evidence the respondent used encryption for data at rest, leaving such data vulnerable.

Like the OPC, provincial privacy commissioners have also commented on the use of encryption as part of data protection safeguards. However, there appears to be no recent publications on the appropriateness of different forms and standards of data encryption.

Best practices for encrypting your data

Assess the information you have

Your organization first needs to know what type of information it collects, uses and retains in order to protect it. Privacy and technology professionals should work collaboratively to map current data collection and handling practices.

Develop a cyber program

If your organization does not have a comprehensive cyber security program, strongly consider implementing one. This may become a requirement for certain organizations in the future following the enactment of Bill C-26.

Understand current encryption use

Your organization likely uses several forms of encryption already.

Reviewing where your organization employs encryption and, more importantly, where it does not, will help to identify potential weaknesses. This includes not only data in transit but also data while it is at rest (e.g. stored in a database).

Go to the experts

Consult technical professionals to ensure your organization uses standards of encryption appropriate to the sensitivity of the information.

Consider whether your organization ought to apply specific industry or technical standards (e.g. ISO/IEC 18033 series regarding encryption systems for the purpose of data confidentiality).

Protect the encryption keys

Consider security of encryption vaults and keys separately from security of other confidential information.

Leverage encryption as a tool within your privacy framework

Encryption cannot prevent data breaches entirely – it merely reduces the likelihood of a threat actor being able to make use of any data it obtains. Encryption should complement, not replace, other forms of privacy management and data safeguarding such as:

• Collecting as little personal information as possible (thereby reducing the amount of data you need to encrypt).
• Classifying and tagging data based on its sensitivity.
• Restricting access to information generally and limiting to authorized persons (and, where possible, isolating access amongst those authorized persons).
• Restricting use of portable storage media where appropriate.
• Using strong passwords (with numbers and special characters).
• Limiting the data you retain over time by using appropriate retention and destruction protocols.

Learn from additional resources

Consider accessing public resources available online, such as the Canadian Centre for Cyber Security.

Are you looking to consult on how your encryption practices meet your legal obligations? Contact a member of the Gowling WLG Cyber Security & Data Protection Law team.