Encryption may not be legally required across industries, but encryption confers some legal benefits: regulators now largely expect covered entities to use encryption, and many state laws exempt firms from notification requirements if data was encrypted at the time of a breach. This second article in a three-part series explores the legal and regulatory framework surrounding encryption, including various federal and state laws. The first article reviewed the basics of encryption, when it should be used and challenges in implementing it. The third article will evaluate appropriate policies and procedures; the role of legal and compliance personnel; and third-party management. See our three-part series on unlocking encryption: “Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); “A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017); and “An Attorney Weighs in on Balancing Security and Practicality” (Sep. 13, 2017).