Although most laws and regulations do not specifically require it, there are several legal incentives for a fund manager to employ encryption. For instance, regulators now largely expect covered entities to use encryption, and many state laws exempt firms from notification requirements if data were encrypted at the time of a breach. This second article in a three-part series explores the legal and regulatory framework surrounding encryption, including various federal and state laws. The first article reviewed the basics of encryption, when it should be used and challenges with implementing it. The third article will evaluate the policies and procedures a manager should enact; the role of legal and compliance personnel; and the management of third parties with respect to data security. See our three-part series “How Fund Managers Should Structure Their Cybersecurity Programs”: Background and Best Practices (Mar. 22, 2018); CISO Hiring, Governance Structures and the Role of the CCO (Apr. 5, 2018); and Stakeholder Communication, Outsourcing, Co-Sourcing and Managing Third Parties (Apr. 12, 2018).