Legal Eye: Is encryption really the silver bullet?

High-profile data breaches and new laws have put encryption back in the limelight. But organisations would be wrong to pin all their hopes on it, warns lawyer Stewart James.

Earlier this month, Westminster's Joint Committee on Human Rights criticised the loss of 25 million child benefits records as typical of the government's "lax standards" on protecting personal information. It also called for all data to be encrypted and never distributed by post.

After HMRC's data loss, the government instructed all departments to encrypt laptops and has issued new guidance developed by the Communications Electronics Security Group on the standards to be applied.

Encryption:
Key issues

1. The guardianship of commercially sensitive records: personal vs corporate liability.

2. Accommodating human error: is technology a universal panacea?

3. Law enforcement agencies' access to data.

All this emphasis on data encryption assumes it is the panacea to all data loss - but for every silver lining there is always a grey cloud.

Of course the loss of data happens in business too - such as the loss by TK Maxx of 45 million customer credit files. Clearly businesses also have much to learn about information security.

In particular, the Companies Act places a direct obligation on directors to ensure the confidentiality of data. The act emphasises that data loss is not a problem limited to personal data but includes all forms of commercially sensitive information.

Many will be aware now that the seventh principle of the Data Protection Act requires businesses to take appropriate technical and organisational measures to guard against accidental data loss.

But a lack of guidance on what this means in practice has left many businesses exposed and confused about their obligations.

The obligation to protect all information imposed by the Companies Act does at least ensure common measures such as encryption can be applied and simplifies the process of developing an information security policy.

Encryption scrambles data into meaningless text that cannot be interpreted without the corresponding key to unlock it. It can take a variety of forms depending on the level of security required and the manner in which it is used.

If applied judiciously, and as part of an overall policy solution, it need not add burdensome overheads - a myth that often prevents its application in the first place.

Unfortunately, no matter how good the policy and the technology, the human element will always provide the weak link in the security chain.

The success of data encryption in preserving the confidentiality of information was demonstrated recently by the discovery of a confidential Home Office disc found hidden in a laptop sold via online auction site eBay. Fortunately, the disc was encrypted rendering the information meaningless to the laptop's purchaser.

While it is possible to crack some forms of encryption, the effort and skills required make it impractical. This places a collateral obligation on the business to ensure that its key life-cycle management is equal to the employee obligations to abide by the security policy in the first place.

Data encryption also poses a problem for the legitimate activities of the police and other law enforcement agencies.

It is notable that criminals, paedophiles and terrorists have been among the first to adopt the use of encryption to protect emails and data from inspection.

Without access to the plain text it may be impossible to secure prosecutions, which is one of the government's justifications for seeking longer pre-charge detention periods.

Careers advice from Tessa Hood:

You won't get promoted looking like that

So what does all this mean for the future of information security? There's no doubt that recent events have turned an overdue spotlight onto the duties of companies and individuals to protect sensitive information.

But there are competing elements at play here. There is an obligation to make information secure. Yet the information must be available to those who legitimately need it.

What's clear is that, in this information age, definitive guidelines that encompass the use, guardianship, retrieval and presentation of information are paramount - technology alone will never be enough.

Compliance with the new Companies Act and the Data Protection Act will be a step in the right direction but we're likely to see a number of avoidable breaches of security yet before we ever reach a data-safe Utopia.

DLA Piper is the world's largest global legal services organisation with more than 3,600 lawyers across 64 offices and 25 countries. Its award-winning technology, media and commercial practice employs 70 partners specialising in IT, telecomms, media, sport and IP law. Experts in convergence between the technology, communications and media sectors, it advises some of the world's leading multinational entertainment, media, sport and technology companies.