Assuming we are talking physical tiers, my understanding is that in order to pass data from say the data tier to the business logic tier the JSON format is used (or XML), so say I have an ORM (Hibernate) as part of my data access logic, I then serialize the resulting Object (pointed to by a REST call from BLL) to JSON and pass it into the business layer. Finally I run any business logic required on this object in the BLL and serialize it to JSON and send it to the client.
My question is this, with all this (potentailly personal) JSON data being passed over from network to network, does it need any form of security, for example some kind of encryption on the JSON messages?