Unencrypted Data

Personal information stored or transmitted in plain text format without cryptographic protection, creating significant security and privacy risks if unauthorized parties gain access. Unencrypted data is readable by anyone who obtains it, whether through data breaches, insider access, interception, or physical device theft. Privacy regulations generally require appropriate security measures, and unencrypted storage or transmission of sensitive data often falls short of 'reasonable security' standards. Under GDPR Article 34, breaches of encrypted data may not require individual notification if the encryption key wasn't compromised, but breaches of unencrypted data typically trigger notification obligations. State breach notification laws similarly may not require notification if breached data was encrypted. Organizations should: identify data requiring encryption based on sensitivity, implement encryption for data at rest (stored) and in transit (transmitted), use strong encryption algorithms and key management, regularly audit for unencrypted data, maintain encryption key controls, and plan for encryption key rotation. While encryption isn't explicitly mandated for all data, it represents a fundamental security control that privacy laws expect organizations to implement appropriately based on risk.