In Reg 500 (23 NYCRR 500), the New York Department of Financial Services mandates the use of encryption as a means of providing adequate protection of Nonpublic Information.
A library of books could be written on the topic of encryption – the mathematics and algorithms, the history of cryptography, etc. For some people, this is an enjoyable Friday night conversation. For the rest of us, not so much.
So let’s get to the point. Encryption is a way of taking a document, file or data that is in “plaintext” (i.e., you can read it) and putting it into “ciphertext” (i.e., it looks like incomprehensible gibberish). This is perhaps the most critical way you can protect Nonpublic Information because if done properly, it is nearly impossible with today’s technology to unscramble the data.
Reg 500 requires that Covered Entities encrypt all NPI transmitted over external networks and all NPI “at rest” (e.g., data sitting on your computer, a file share, etc. – not moving).
It is important to understand that not all encryption is created equally. Some old encryption algorithms have been found to have vulnerabilities and can be easily cracked. If you don’t know much about encryption or how to effectively implement the technology, work with an expert on this.
As with the multi-factor authentication provision that we covered a few weeks ago, there are two ways out of the encryption provision.
Sometimes, you may find encryption of NPI as required is unfeasible. If so, the Chief Information Security Officer (CISO) can approve an alternative compensating control. This should be done tactfully because encryption is an accepted standard and often a default control in the cybersecurity world. If a Covered Entity opts for an alternative to encryption, it must be reviewed by the CISO at least annually to determine if encryption should be reconsidered.
The only other companies that do not have to comply with the encryption provision are those with exemptions. Many small companies will be exempt from certain provisions and this is likely one of them.
For those that must comply with this provision, it is important to base the implementation of encryption technology on your Risk Assessment. Identify the areas of greatest exposure and develop a plan for meeting this requirement in a consistent and effective way.