Question 38
UnclassifiedWhy do encryption and state breach laws often appear together in exam questions?
Correct answer: A
Explanation
State breach-notification laws often hinge on whether exposed data was "encrypted" or otherwise rendered unusable, because many statutes define a reportable breach as involving protected information that is not secured. If encryption is effective, the information may be treated as "protected" rather than "unsecured," which can change whether notice is required.
Why each option is right or wrong
A. Because encryption may affect whether the compromised information is treated as protected or unsecured under a state's notice trigger
Many state breach-notification statutes define a reportable incident by reference to whether personal information was acquired in a form that was not secured, and encryption is expressly built into that trigger. For example, California Civil Code § 1798.82 and similar state laws exclude encrypted data from the notice obligation unless the encryption key or other means of decryption was also compromised; the practical exam point is that the same facts can either trigger notice or avoid it depending on whether the data was encrypted at the time of exposure.
B. Because encryption is illegal in some states
C. Because encryption replaces all consumer notice duties
D. Because only banks may encrypt data