(L to R) Molly Russell and Jason Linder from Irell & Manella (Photo: Courtesy Photo)

Cybersecurity, encryption and data breaches now regularly lead the evening news. Recent government pronouncements have created competing, sometimes contradictory, pressures on companies simultaneously to ensure robust protection for their customers' data while also considering whether to acquiesce to law enforcement's demands that they should be able to de-encrypt data on request.

On Tuesday, July 23, Attorney General William P. Barr focused his keynote address at the International Conference on Cybersecurity at Fordham University Law School in Manhattan on cybersecurity concerns. Barr's speech noted first the importance of encryption techniques in cybersecurity, explaining, “encryption provides enormous benefits to society by enabling secure communications, data storage and online transactions.” However, Barr's speech primarily focused on a need for companies to provide governmental access to encrypted data and communications. Bemoaning the dangers of “warrant proof” encryption, Barr warned that such encryption “poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes.” Barr advised technology providers to maintain an appropriate mechanism for lawful access when deploying encryption in their products, services and platforms, although he refrained from supporting or discussing any specific proposals to do so.

Since Barr's speech, figures such as FBI Director Christopher Wray and Sen. Ron Wyden have spoken in both approval and warning, respectively, of Barr's plan to eliminate “warrant proof” encryption. While one side argues it is important for authorities to be able to investigate dangerous crimes that bad actors may use encrypted data to hide, the other cautions that allowing a back door entry for legal access to encrypted data nullifies the entire purpose of encryption, as there is no guarantee that back door entry will be secure from bad actors.

One day later, on July 24, the Federal Trade Commission imposed a record-breaking $5 billion penalty on Facebook for violating its consumers' privacy. While many of the privacy violations at issue in the FTC's investigation involved serious violations separate from encryption concerns, the FTC's order imposed specific encryption obligations, requiring the company to protect user passwords cryptographically and implement regular scans to make sure user passwords are not stored in plain text.

Companies reviewing encryption news may justifiably be at a loss for how to navigate encryption concerns in a world with an ever-increasing need for cybersecurity. As the Facebook fine illustrates, encryption of sensitive data is becoming less optional and is more commonly seen as part of a reasonable standard of care. But what type of encryption? What needs to be encrypted? As Barr's speech makes clear, how a company encrypts its data has become the most pressing question for companies today. We provide here a few general considerations for companies reconsidering their current encryption policies:

• You should likely implement encryption policies for sensitive personal employee or consumer data or highly confidential commercial data. Although few laws currently mandate that companies encrypt data, many state, federal, and foreign laws require companies to take reasonable measures to protect personally identifiable employee, consumer information, and highly confidential commercial information—i.e., the kind of data most attractive to cyber hackers. Some laws, like California's recently enacted data privacy law, which takes effect next year, may ease or remove liability for companies that encrypt their data.
• When making a determination of which company data to encrypt, focus on two questions: What data is most valuable to your company (or to competitors or hackers)? What data is most vulnerable at your company? Note that the vulnerable data may not necessarily be the same as the highly valuable data. For example, employees with access to unencrypted consumer information may be easier targets for email phishing scams or other infiltration methods than employees working on sensitive and highly confidential inventions.
• When implementing or updating encryption policies at your company, match or exceed the level of encryption other companies in your marketplace consider suitable. Cybersecurity consultants or third party anti-malware vendors may provide you with examples of what is typical in your field for a company of your size. Go above and beyond. An ounce of prevention now may save you pounds of pain in the future, and will put you in better stead with regulators, customers, and potential litigants should something still go wrong.
• When implementing enhanced encryption security policies in your company, train employees that may handle encrypted data. For example, if your company provides a virtual private network to encrypt any remote work, you should train employees as to VPN and remote working best practices.
• Implement appropriate controls to ensure compliance with your encryption requirements, as well as meaningful ways to collect and analyze data about compliance with the requirements.
• Keep current on evolving laws, regulations, and litigating related to information privacy, cybersecurity and encryption. Cybersecurity is, legally, cutting edge, and its regulatory and legal compliance requirements will continue to evolve as cyber risks become more prevalent and sophisticated. Experienced counsel can help keep you abreast and in compliance with those evolving laws.
• If you are a technology provider, consider whether—and, if so, how—you can and should seek to accommodate law enforcement's desire for a de-encryption backdoor to which Attorney General Barr gave voice. There may be good business or corporate governance reasons to do so, but such a back door may not only alienate customers but also increases your own cybersecurity risks.

There are no one-size-fits-all answers to how best a company can and should encrypt and otherwise protect customer and other sensitive data, and whether and how it should implement a back door for law enforcement. Each company faces its own risk package, has its own market pressures, and interfaces with law enforcement in its unique way. But keeping in mind the pointers we set forth above will allow you to frame and flesh out the approach that makes the most sense for your company.

Jason Linder is a partner and chair of Irell & Manella's global investigations and white collar criminal defense practice. He is a former senior Department of Justice prosecutor and assistant U.S. attorney.

Molly Russell is an associate in the Los Angeles office of the firm. Her practice encompasses a wide range of intellectual property, white collar and general litigation matters.