The challenges that come along with securing sensitive information are unprecedented. It has become extremely difficult to protect data which is stored electronically, and breaches have unfortunately become a frequent occurrence. It is now legally required that companies take some steps to protect their sensitive data. With that being said, there are many different measures available to choose from. The array of options may leave companies confused or overwhelmed not knowing where to begin. If you are unable to figure out where to begin, consider starting with encryption.

Encryption is both an easy and comprehensible starting point. Encryption, in the most basic sense, is a method used to encode your data. The process converts plain text to encrypted text with the use of an encryption key that is only given to authorized users. Authorized personnel then use the key to decipher the coded information. Without knowledge of the encryption key, one cannot comprehend the encrypted text, and instead will be left with meaningless characters that unauthorized users are unable to decode.

Encryption provides far more than a platform of frustration and failure for potential hackers. Instead, it serves a dual function. Firstly, encryption provides a layer of protection for your company's data. Secondly, encryption may be the key in avoiding liability in certain situations.

The laws which govern technology are still continuing to evolve. Technology develops at an incredible pace, leaving courts and legislatures trying to catch up. As a result, the legal standard used to hold companies liable for sensitive data being disseminated is still in a state of flux. Courts however have suggested that if a company takes steps to encrypt their data, they may be able to avoid liability if a breach should later occur.

Thus far, it seems the courts have decided the reasonableness standard will govern in data breach liability. Essentially, they look to see if the company took reasonable precautions under the circumstances to protect sensitive data. Courts tend to look at the level of sensitivity of the data, as well as the size of the organization that is in charge of securing the information. Victims who have had their private information stolen as a result of security breaches tend to seek remedies through negligence or breach of contract claims. Both actions implicate some sort of reasonableness standard. So it's no surprise that courts chose the same standard to govern companies' liability in breaches. While the waters of defining the reasonableness standard remain murky, one thing is clear; companies, who store sensitive information, must do something to ensure its security in order to avoid liability.

Encryption is a good place to begin when trying to satisfy the threshold requirement of reasonableness. Encrypting data will render the stolen data inaccessible to hackers, and therefore reduce the chances of private information being accessed. As the effects of a breach are significantly less severe if the stolen data was encrypted, various agencies have limited or reduced potential liability in situations where stolen data was encrypted. For example, the Department of Health and Human Services (HHS) and Office for Civil Rights (OCR), both suggest that monetary penalties may be waived if sufficient encryption was used. Additionally, the Health Information Technology for Economic Clinical Health (HITECH) Act excludes healthcare entities from serious penalties for lost or stolen data if the data was encrypted prior to the breach.

There are also cases which evidence the courts willingness to mitigate an owner's liability if the stolen device was protected by encryption. For example, in May 2012, an employee at Beth Israel Deaconess Medical Center left an unencrypted personal laptop unattended on a desk in the hospital. That laptop was stolen and sensitive information electronically stored on the computer was accessed and subsequently released. The hospital was ordered to pay a $100,000 as a result of the breach. The Court however, held that the Boston hospital could have mitigated their liability had the stolen laptop been protected by encryption.

Companies face an array of challenges when it comes to securing sensitive information effectively. This should not however, leave companies feeling powerless to these challenges. There are various options available which will provide for some degree of legal protection. Encryption is a great place to start. As noted, encryption will not only help lessen the chances of a security breach, but it may also help mitigate liability should a breach occur. It's important to remember, that although avoidance may no longer be available, taking steps to protect your data is still very much required.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.