Under the EU’s General Data Protection Regulation (GDPR), not only the banks and large corporates need to encrypt data at rest. Small and medium-sized enterprises (SMEs), government departments, non-government organisations (NGOs) and non-profits need to adequately protect the data they collect. Ironically, often it’s the most cash-strapped organisations who need encryption the most.
In 2016, the Australian Red Cross Blood Bank accidentally leaked the details of 550,000 blood donors, including details of “at risk sexual history”. Had GDPR applied, the intensely personal nature of the data leaked and the possible impact on the rights and freedoms of the citizens affected (anything from personal discrimination to effects on health insurance premiums), this non-profit would be in grave danger of breaching GDPR Articles 32 and 25.
Yet, the incident was entirely preventable using encryption.
Let’s examine encryption in GDPR and its importance.
How does GDPR view encryption?
Once a data breach has occurred, GDPR (Articles 33 and 34) introduces mandatory reporting of breaches to the people affected by the breach, as well as the central authority (the Information Commissioner’s Office in the UK).
However, prevention is better than cure.
On the prevention side, GDPR includes two specific articles relating to information security and the prevention of data breaches: Articles 32 and 25. For discussion purposes, we will simplify these two articles as they relate to encryption, but readers are encouraged to refer to the original legislation.
Article 32: “Personal data must be secured to a level appropriate to the risk, by technical and organisational measures including pseudonymisation and encryption and by ensuring the ongoing confidentiality, integrity and availability of data processing systems and services.”
Article 25: “Technical and organisational measures should be implemented to provide data protection by design and default, including pseudonymisation (and encryption), and only personal data necessary for a specific purpose should be processed.”
The key message is that security must be provided… and the more sensitive the data, the stronger the need for encryption. Imagine an organisation that stores names and addresses in its database. This constitutes personal information (leaking that information can lead to identify theft), so there’s already a strong need to encrypt things like database backups. However, the risks escalate if the data set includes things like health information, financial information, political affiliations, religious practices, and so on. If leaked, such information could adversely affect the rights and freedoms of those affected.
Imagine the sheer number of governmental and non-profit organisations that collect highly sensitive data! A general purpose solution is definitely required.
Why does GDPR specifically mention encryption?
To prevent data leaks.
Encryption is a fundamental technology of cybersecurity. However, unlike firewalls which are ubiquitous, encryption is rarely deployed in most organisations.
Let’s take a law firm as an example. Lawyers work on cases, drafting affidavits, collecting evidence, which all get stored as files on a file system. Then one of their PCs becomes infected with malware (such as doxware); this malware scans the file system and uploads files to the attacker’s server. The attacker has a copy of the victim’s files – in this case the confidential legal files of the firm’s clients. The leak of these documents, even if they are protected by legal privilege, can easily lead to discrimination, persecution, victimisation and other adverse consequences to the victims.
In this case, the IT department of the law firm may have implemented access control on the file system, and they may have installed firewalls, email filtering, and virus protection. However, it’s difficult to protect against all attack vectors; malware attacks have skyrocketed in recent years.
So what could have helped? Is encryption a blanket defence system?
If encryption had been integrated into the law firm’s procedures and practices, then the malware should only have uploaded ciphertext (encrypted data) to the attacker, which is of course useless. The privacy of client files would be preserved.
Why isn’t encryption used more widely today?
The Red Cross Blood Bank data leak reveals a deep problem: a lack of encryption tools that system administrators can use to protect data on a widespread basis.
A further issue is that it’s extremely difficult for software developers to implement encryption securely. But ironically, the reverse is true: it’s extremely easy for software developers to implement encryption insecurely, but insecure encryption is little better than a placebo. The complex mathematics and algorithms behind cryptography are simply beyond the skillset of most developers.
Therefore, most applications don’t use encryption when they save their data.
This leads to a situation where GDPR Article 25 (data protection by design and default) becomes difficult or impossible to achieve.
Is there hope?
It’s clear that better tools and libraries are required to help promote the use of encryption and improve security for organisations.
One such area of research is in cloud-friendly cryptographic file systems. This type of technology will transparently encrypt and decrypt files as they are saved and loaded from storage – both on-premise and cloud-based. Because it works at a file level, a wide variety of data (such as Word documents, videos, photos, PDF files, database backups) can be encrypted with little overhead.
Cryptographer and senior lecturer Dr Ron Steinfeld of Monash University, who has been working on the ScramFS cryptographic file system project, is hopeful of the technology’s potential. “If carefully designed and implemented, crypto products can achieve a high level of security. Many users store their web cloud data unencrypted, or with keys stored on the web server. Consequently, any hacker that manages to expose the contents of the web server can gain access to the data. Encrypting stored user information on the cloud server with a key known only to the user, as is done by ScramFS, should significantly reduce the likelihood of such data breaches.”
With the 25th May 2018 GDPR deadline rapidly approaching, there’s never been a stronger need for cost-effective and easy-to-use encryption toolkits. We anticipate a lot more discussion around encryption and its role in cybersecurity defence.
By Linus Chang, Founder & CEO, Scram Software
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/