How Will Breach Laws Develop in 2018?
Posted on January 3, 2018
You hopefully already know that Maryland’s amendment to its data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric information is defined as any automatically generated biologic measurements, rather than just specifically listed items like fingerprints (the definition prior to the amendment). A handful of states have laws —like Maryland— that include biometric information in the definition of personal information. Those include Illinois, Nebraska, Nevada, North Carolina, Wisconsin, and Wyoming. We expect other states may join these. We also expect that states may otherwise continue to expand the definition of personal information in their breach notice laws.
PUTTING IT INTO PRACTICE: Companies that collect and store information about individuals should continue to examine their information protection measures as the definition “personal” expands in breach notice laws.
EUROPE
UK Regulator Issues Guidance About Encryption Under GDPR
Posted on December 13, 2018
The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. The ICO also clarifies that “hashing” is not encryption, two things that are often confused. The ICO also gives information about how to implement encryption. Namely, to choose the right algorithm, the right size key, and the right software. The ICO also reminds companies to keep the key itself secure. The ICO gives links to several resources to learn more about encryption and encryption methods and standards.
Taking a look at this guideline is important for companies subject to GDPR, as if faced with a breach of unencrypted data, the ICO states it will think about taking regulatory action. The ICO recommends companies put an encryption policy in place. That policy, the ICO states, should explain when the company will or will not use encryption measures.
PUTTING IT INTO PRACTICE: Companies thinking about encryption will find this guidance helpful, in particular with respect to the types of encryption to use and what an encryption policy might look like.
                     Eye on Privacy 2018 Year in Review 36