You should use encryption because it gives you legal protection. Few laws specifically require encryption. HIPAA generally doesn’t. State statutes don’t. Nor does the Gramm Leach Bliley Act’s Safeguard’s Rule. Yet if you are not encrypting PII, PHI, or financial data, you are putting yourself at risk. Those laws expect you to take reasonable precautions. And using encryption, and using it properly, is a reasonable precaution when it comes to dealing with sensitive data. HIPAA, for example, provides that encryption should be used where “the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability” of the information or else implement an “equivalent alternative measure if reasonable and appropriate,” and document why encryption wasn’t the best choice. more
