Data encryption transforms readable information into an unreadable format using cryptographic algorithms, ensuring that even if data is intercepted or stolen, it remains unintelligible without the corresponding decryption key. Encryption should be applied both at rest (data stored on disks, databases, and backups) and in transit (data moving across networks).
Encryption in transit protects data as it travels between systems, whether across the public internet or within an internal network. TLS 1.2 or 1.3 should be enforced for all web traffic, email transmission, API communications, and remote access connections. Unencrypted protocols such as HTTP, FTP, and Telnet should be disabled or replaced with their encrypted equivalents (HTTPS, SFTP, SSH).
Encryption at rest protects data stored on servers, databases, laptops, and removable media. Modern operating systems and cloud platforms offer built-in encryption: BitLocker for Windows, FileVault for macOS, and server-side encryption for cloud storage services like AWS S3 and Azure Blob Storage. Database-level encryption (Transparent Data Encryption) protects structured data without requiring application changes.
Key management is the often-overlooked companion to encryption. Encryption is only as strong as the protection of the keys used to decrypt the data. Keys should be stored separately from the data they protect, rotated on a defined schedule, and access to key management systems should be tightly restricted. For cloud environments, managed key services (AWS KMS, Azure Key Vault) simplify key management while maintaining strong security controls.
Encryption is a standard requirement on cyber insurance applications, particularly for organizations handling sensitive personal, financial, or health data. Insurers ask whether data is encrypted at rest and in transit, and what encryption standards are used. The absence of encryption is a red flag that can increase premiums or narrow coverage.
In breach scenarios, the presence of encryption can be the difference between a reportable incident and a non-event. Many data breach notification laws include safe harbor provisions that exempt encrypted data from notification requirements, provided the encryption keys were not also compromised. This directly reduces the financial impact of an incident and the resulting insurance claim.
HIPAA requires encryption as an addressable specification under the Security Rule (45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii)). The Breach Notification Rule provides a safe harbor for encrypted ePHI. If encrypted data is breached but the key is secure, individual notification is not required. This makes encryption one of the most cost-effective controls in healthcare.
The ABA Formal Opinion 477R states that lawyers must use encryption when transmitting information relating to client representation, particularly when the communication includes sensitive content. Many state bar opinions reinforce this requirement. Encrypting client data at rest protects against privilege breaches in the event of a firm's systems being compromised.
PCI-DSS Requirement 3.4 requires rendering of primary account numbers (PAN) unreadable wherever they are stored, with strong cryptography as the preferred method. GLBA's Safeguards Rule requires encryption of customer data in transit over external networks. Banking regulators expect encryption to be the default for all sensitive financial data.
PCI-DSS Requirement 4.1 mandates strong cryptography for cardholder data transmitted over open, public networks. Retail organizations processing card-present and card-not-present transactions must ensure that encryption extends from the point of interaction through the entire payment processing chain.
NIST 800-171 controls SC.L2-3.13.8 and SC.L2-3.13.11 require encryption of CUI at rest and in transit. FIPS 140-2 validated cryptographic modules are required for federal systems and strongly recommended for contractors. CMMC Level 2 assessors verify both the presence and strength of encryption implementations.
Enable TLS 1.2 or higher for all web services, email, and API communications
Activate full-disk encryption on all endpoints (BitLocker for Windows, FileVault for macOS)
Enable server-side encryption for all cloud storage buckets and database instances
Disable unencrypted protocols (HTTP, FTP, Telnet) on all systems and replace with encrypted alternatives
Implement a key management policy defining key storage, rotation schedules, and access controls
Want to know how your organization measures up on this control?
Take the free assessment →