Encrypting data whilst it is being stored (eg on a laptop, mobile, USB or back-up media, databases and file servers) provides effective protection against unauthorised or unlawful processing. It is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen.
A civil monetary penalty of £150,000 was served on Greater Manchester Police after a USB stick containing data on police operations was stolen from an officer’s home. The stick contained personal data of over 1,000 people with links to serious organised crime investigations going back over an 11 year period. It was unencrypted and had no password protection.
An investigation established that an officer had used the device to copy information from his personal folder on the force’s network in order to access the data from outside the office. It was subsequently discovered that a number of other officers were also using unencrypted memory sticks on a regular basis.
The data controller failed to implement appropriate technical measures against the loss of personal data. Although there was an order requiring the use of encrypted memory sticks, it was not enforced and no steps were taken to restrict the downloading of files onto external devices.
Full disk encryption
Most modern operating systems have full disk encryption built in, which will encrypt the entire contents of the drive. The data is decrypted when the user accesses the device. Unfortunately, it may not be enabled by default, requiring it to be activated, for example by accessing the relevant settings options within the operating system of their device.
Some data controllers have considered setting a PIN or requiring users to provide a username/password in order to access a device. Whilst this can offer assurance that the user is authorised to perform certain functions this approach offers little protection to the underlying data which is commonly stored in plain text on the disk and must not be considered as equivalent to encryption. The data can also be easily accessed by an attacker with physical access to the device.
Passwords used to decrypt the hard disk or for access control must be sufficiently complex in order to provide an appropriate level of protection (see section Keeping the key secure)
Individual file encryption
Alternatively, organisations can encrypt files individually, or place groups of files within encrypted containers. In the event of loss or theft of the device an attacker might gain access to the device and to some data but not to the encrypted files (assuming the key remains secure).
The ability to create encrypted containers may be part of encryption or other archive software or be built-in to the operating system. Once a container is created, files can be placed within it and encrypted and the container itself can be moved and/or copied.
Application or database encryption
Some software applications and databases can also be configured to store data in an encrypted form. The benefit here is that the application controls the encryption so can access the keys when needed without relying on the underlying IT infrastructure
When data is shared between applications then processes are required to share keys securely.
Residual risks with encrypted data storage
Data controllers should recognise that there are occasions where data can still be accessed by an unauthorised person, even if a system uses encrypted data storage. For example:
- if an encrypted device is left unattended whilst a user is logged in, then an attacker can gain access to the decrypted material;
- devices that store data in encrypted volumes or containers must mount or open these containers in order for the data to be accessed. If the volumes are not closed or unmounted once the user has finished, the data may be accessible to others;
- if a device is infected with malware which has appropriate permissions to access the data, full disk encryption or use of secure containers will offer little protection once that data is decrypted;
- if applications on the device are compromised by an attacker then any data which can be accessed by the application is vulnerable. For example, successful exploitation of a website vulnerable to an SQL injection attack could expose data whether or not the device itself is encrypted; and
- APIs which permit web content to read and write files on the underlying file system may pose additional security considerations.
Addressing these types of risks is therefore an important part of an encryption policy which can also include employee awareness training.
Read our further guidance on protecting personal data in online services for more information: