Encryption strategies for legal compliance can vary based on the state of the data as well as its classification. Data is generally considered to be in one of three states: in transit, at rest, or in use. Data in transit is actively moving from one network to another, such as when it is moved from local storage to a cloud-based storage account. Data at rest is inactive data that is not actively moving between networks, such as data stored on a hard drive, device, or cloud storage account. Data in use is data that is actively being processed.
Encryption of data in transit—particularly personal information—is largely viewed as an absolute requirement for the protection of confidentiality. When at rest, there are a range of security measures other than encryption that can be implemented to protect against unauthorized access, modification, or deletion. In these cases, encryption is seen as less of a requirement for protecting personal data provided that other measures are implemented in its place. For enterprises that are storing personal information of those covered by the CCPA, however, encryption of data at rest can limit legal actions in the event of a data breach and should be considered as part of a legal mitigation program regardless of any additional security measures in place.