What are PII Encryption Requirements?

Posted By Steve Alder on Feb 20, 2025

PII encryption requirements exist when federal, state, or industry regulations mandate the use of encryption to protect the confidentiality of Personally Identifiable Information at rest and/or in transit. When no such regulations exist, it is still advisable to encrypt PII to ensure it is undecipherable in the event it is disclosed to or accessed by an unauthorized party.

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws that require private businesses to notify State Attorney Generals and individuals when unsecured PII is disclosed or accessed without authorization. However, it has been estimated that only half of businesses have data encryption strategies that identify how PII is received, stored, and transmitted, and how it is protected from unauthorized disclosure or access.

This is despite many federal, state, and industry regulations having mandatory PII encryption requirements. Businesses that fail to comply with the PII encryption requirements and subsequently suffer a data breach can face significant costs and regulatory penalties. In addition, an increasing number of state data privacy laws allow for private rights of action – any resulting lawsuits further increasing the cost of failing to secure PII with encryption.

Federal PII Encryption Requirements

Federal PII encryption requirements apply to federal departments, agencies, contractors, and service providers. These entities are required to encrypt PII at rest and in transit to FIPS 140 standard unless a higher standard applies to protect data classified as “Secret”. Contractors and service providers who fail to comply with the PII encryption requirements may not only have their contracts cancelled, but could also face criminal penalties under the Privacy Act.

Other federal PII encryption requirements apply to private businesses in (among others) the financial and healthcare industries. In the financial industry, “nonpublic personal information” must be encrypted at rest and in transit under the FTC’s Safeguard Rule. The Rule applies to all businesses covered by the Gramm-Leach-Bliley Act, and those who are “significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities” (16 CFR §314.2).

In the healthcare industry, the requirements to encrypt data are in the Technical Safeguard of the HIPAA Security Rule (45 CFR §164.312). Although the encryption requirements apply to Protected Health Information (PHI) rather than Personally Identifiable Information (PII), any PII maintained in the same designated record set as PHI automatically assumes protected status and must be encrypted. PII maintained outside a designated record set is not subject to the same federal requirements, but may still need to be encrypted under a state law.

State Laws Requiring PII is Encrypted

An increasing number of states are enacting privacy legislation. Not all require that PII is encrypted, but some that do apply to citizens of the state wherever they are located at the time PII is collected (i.e., Mass. 201 CMR 17.00). Other state laws may only apply to PII collected via the Internet rather than collected physically and transferred to an electronic database (i.e., Nevada NRS 603a) or they might apply only to a certain type of business within the state (New York 23 NYCRR 500).

While many state laws exempt businesses regulated by federal laws such as the Gramm-Leach-Bliley Act (GLBA) or HIPAA, some only exempt them in respect of certain types of information. For example, the Colorado Privacy Act exempts “Protected Health Information that is collected, stored, and processed by a covered entity or its business associate”, but the Act does not exempt PII maintained outside a designated record set which is used for for non-health purposes (i.e., marketing).

Multi-Industry PII Encryption Regulations

In addition to industry-specific PII encryption regulations such as GLBA and HIPAA, the Payment Card Industry Data Security Standard (PCI DSS) has PII encryption regulations that apply to all businesses that accept or process debit and credit card payments. The regulations require businesses to:

• Render cardholder data unreadable anywhere it is stored by using either one-way hashes, truncation, index tokens, or strong cryptography with associated key management processes and procedures (Requirement 3.5.1), and
• Protect Primary Account Numbers (PANs) with strong cryptography during transmission, either by encrypting the data before it is transmitted, or by encrypting the session over which the data is transmitted, or both (Requirement 4.2).

Some state laws with PII encryption requirements exempt businesses that comply with the PCI DSS regulations (i.e., Nevada NRS 603a). However, some exemptions only apply to PII associated with card payments. Any other data collected by the same business may still be subject to the remaining PII encryption requirements. Businesses who are unsure about what regulations apply to their operations should seek professional compliance advice.