Your organization encrypts all archived customer databases and assumes this means its records-disposal schedule can be ignored. Which of the following statements BEST explains why this practice is unacceptable?
Encrypted archives are considered offline storage and cannot be subpoenaed.
Encryption keys can later be compromised, so retaining unnecessary encrypted data can still lead to a breach or compliance violation.
Cryptographic erasure applies only to unencrypted datasets, so deletion would corrupt the encryption system.
Encrypted data is automatically anonymized and therefore exempt from retention statutes.
Encryption is only one control in a defence-in-depth strategy. Because encryption keys can be stolen, guessed, or mishandled, any unnecessary encrypted records still represent legal and security risk. Regulations such as GDPR, HIPAA, state privacy statutes, and industry rules require data to be deleted or anonymized once the retention period or processing purpose expires. Continuing to store the data-encrypted or not-can trigger fines and disclosure obligations if the keys are compromised.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is it risky to retain encrypted data even if the encryption keys are secure?
Open an interactive chat with Bash
What are some examples of regulations that require data deletion after retention periods?
Open an interactive chat with Bash
What is the purpose of cryptographic erasure, and when is it used?