Alycia Riley
Avocate
Article
10
What does it mean to "encrypt" information? And how does an organization know whether its existing encryption protocols are sufficient?
The Protection of Personal Information and Electronic Documents Act (PIPEDA) imposes an obligation on businesses to use security safeguards to protect personal information in a manner appropriate to the sensitivity of the information. Amongst the various forms of safeguards, Principle 4.7 states that methods of protection should include technological measures, such as using passwords and encryption.
In its guidance to businesses on preventing and responding to privacy breaches, the Office of the Privacy Commissioner (OPC) also encourages using encryption for laptops and portable media. This obligation will almost certainly continue in the new federal legislation before Parliament aimed at replacing PIPEDA.
This article sets out some general information on encryption and best practices for organizations to consider from a legal perspective. We strongly encourage readers to consult with their trusted cyber security and information technology professionals to address their organization's unique needs.
Encryption is a key component of the digital economy. It allows for secure data transfers by transforming content into an enciphered text and subsequently deciphering that text back into the original content using a specific key. Encryption can also protect information at rest, such as when stored on an encrypted database or drive.
There are two main forms of modern encryption: symmetric and asymmetric.
Symmetric encryption uses the same key to encrypt and decrypt content, while asymmetric encryption uses a public key for encryption and a separate private key for decryption.[1] Anyone who wants to send encrypted content to a user can download the public key (e.g. from their website) and use it to encrypt the message. However, another user cannot decrypt the message unless they have the sending user's private key.[2]
There are several encryption standards available, such as:
Each form of encryption has varying use purposes, pros and cons. An organization's use of each form will depend on several factors such as data sensitivity, user requirements, desired functionality and cost.
From a legal standpoint, there is relatively limited guidance in Canada regarding encryption standards. There appears to be little case law on the topic, and PIEPDA does not dictate a specific encryption form or standard. The latter is not surprising given the use of fair information principles in the Act in addition to the exponential rate of growth and change in information technologies.
In a recent investigation,[3] the OPC commented on the respondent's failure to use encryption to secure its database and data. Rather, the organization stored sensitive personal information in shared folders that were widely accessible to employees.
While the respondent noted the threat actor accessed an administrator account (meaning encryption would not have prevented the malicious actions), the OPC indicated that:
The OPC wrote:
"[E]ncryption of corporate data is a standard best practice, and in the case at hand, where the records included sensitive personal information, we would have expected encryption to be in place."
In another investigation, the OPC commented on a hotel chain's failure to apply encryption consistently to sensitive personal information obtained from its guests, including passport numbers and payment card numbers. The OPC noted that the hotel chain used AES-128 for the encryption of most payment card numbers, though it did not provide further comment on this encryption standard.[4]
In yet another investigation,[5] the respondent identified it used 128-bit SSL encryption for data in transit, which it asserted was a security standard similar to those found in the banking industry. However, there was no evidence the respondent used encryption for data at rest, leaving such data vulnerable.
Like the OPC, provincial privacy commissioners have also commented on the use of encryption as part of data protection safeguards. However, there appears to be no recent publications on the appropriateness of different forms and standards of data encryption.
Your organization first needs to know what type of information it collects, uses and retains in order to protect it. Privacy and technology professionals should work collaboratively to map current data collection and handling practices.
If your organization does not have a comprehensive cyber security program, strongly consider implementing one. This may become a requirement for certain organizations in the future following the enactment of Bill C-26.
Your organization likely uses several forms of encryption already.
Reviewing where your organization employs encryption and, more importantly, where it does not, will help to identify potential weaknesses. This includes not only data in transit but also data while it is at rest (e.g. stored in a database).
Consult technical professionals to ensure your organization uses standards of encryption appropriate to the sensitivity of the information.
Consider whether your organization ought to apply specific industry or technical standards (e.g. ISO/IEC 18033 series regarding encryption systems for the purpose of data confidentiality).
Consider security of encryption vaults and keys separately from security of other confidential information.
Encryption cannot prevent data breaches entirely – it merely reduces the likelihood of a threat actor being able to make use of any data it obtains. Encryption should complement, not replace, other forms of privacy management and data safeguarding such as:
Consider accessing public resources available online, such as the Canadian Centre for Cyber Security.
Are you looking to consult on how your encryption practices meet your legal obligations? Contact a member of the Gowling WLG Cyber Security & Data Protection Law team.
[1] Nathan Saper, International Cryptography Regulation and the Global Information Economy, 11 Nw J Tech & Intell Prop 673 (2013) at para 7 (citations omitted).
[2] Ibid.
[3] PIPEDA Findings #2023-002, "Investigation into Agronomy's privacy practices related to safeguards, accountability valid consent for the collection and use of personal information."
[4] PIPEDA Findings #2022-005, "Hotel chain discovers breach of customer database following acquisition of a competitor."
[5] PIPEDA Report of Findings #2018-006, "Breach of the World Anti-Doping database."
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.