The New National Data Encryption Rules May Be Enforced Soon

As some of you may have heard, Ted Lieu, Mike Bishop, Suzan DelBene, and Jim Jordan, members of the United States Congress, recently presented a bill called the ENCRYPT Act. The idea of it is to create national data encryption rules that would prevent separate States from regulating the use of data encryption. “As a computer science major, I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” Ted Lieu explained. Even though the bill has been already suggested two years ago and was not enforced, it is entirely possible it may become law this time as the circumstances have changed quite a bit since 2016.

To explain the changes we talked about earlier we used the Gemalto Breach Level Index. According to it, the number of data breaches has slightly decreased in 2017 (1.765) comparing it to the count of such incidents in 2016 (1.981), but unfortunately, the number of breached records increased almost twice last year. To be more accurate, the number of compromised records in 2016 was a bit more than 1.3 billion, while the total count in 2017 was estimated to be a bit more than 2.6 billion. Sadly, compromised data can cause a lot of damage, for example, identity theft, account or financial access, and so on. Therefore, it is only natural that the discussions about data security and means to ensure it became more and more frequent among users, computer security specialists, government members, and organizations that are supposed to protect their customer’s sensitive information. Not to mention, people are becoming more aware of how crucial it is to protect their privacy and what could be the consequences of losing one’s sensitive data to cybercriminals.

Many specialists agree that one of the best ways to protect private data is to use data encryption. After all, the statistics show that only 3.1% of data breaches in 2017 were incidents where encryption was used. In other words, the rest of the successful attacks were targeted at sensitive information that was not protected this way. The reason why national data encryption rules might be necessary for the United States can be illustrated by another fact from the mentioned statistics as they show 86% of all data breaches counted in 2017 occurred in North America (1.453 in the United States, 59 in Canada, and only 2 in Mexico). However, the problem is it is not enough to apply any encryption as it has to be strong; otherwise, the sensitive information protected with it might be at risk in any case. This is the point where it becomes clear why the ENCRYPT Act might be so important.

It appears to be that there were suggestions from the Department of Justice and FBI to weaken encryption to make it possible for law enforcement to get to encrypted data or messages. The bad news is if manufacturers would weaken encryption by storing decryption keys or making backdoors for their created devices it might make it easier for cybercriminals to bypass encrypted data too. In other words, the percentage of data breaches occurring when encryption was used could increase and so everyone’s hopes to protect their privacy while using data encryption could be diminished. Besides the described situation there were others as well, for example, two years ago, lawmakers from California attempted to introduce statewide legislation that might have allowed to ban smartphone devices that could be encrypted or limit their usage. If it was enforced, the residents of the mentioned State would have been unable to use strong data encryption to protect their privacy. Knowing our data security is always at risk nowadays, none of the just mentioned legislations seem to be serving the purpose of equipping us with tools necessary to protect it. On the contrary, allowing separate States to limit encryption usage might make the task of guarding sensitive data against cybercriminals much more difficult.

Fortunately, the national data encryption rules presented on the ENCRYPT Act could ensure everyone living in the United States would have access to strong encryption and consequently would have the means to guard their privacy. The bill would make sure neither a State nor a political subdivision of a State could request manufacturers, developers, sellers, or providers to “alter the security functions in its product or service to allow the surveillance of any user of such product or service” or “have the ability to decrypt or otherwise render intelligible information that is encrypted or otherwise rendered.” Naturally, the bill will still have to be considered by committees, but, hopefully, all will go well, and soon the national data encryption rules will create a unified approach to encryption that will make it possible to use data encryption for anyone who would like to employ it to ensure their privacy or the data security of their clients.