HTTP Secure is a ranking factor since mid 2014 and is used as a signal that the website either
- can be trusted to handle secure data
- may signal a commitment to greater care and investment in the website
The latter is not confirmed, but just assumed.
Since 2016 Google Chrome (and other browsers) begun warning users when a website they were using did not have HTTPS. In 2017 Chrome’s warning became more obvious, especially in relation to pages that either required a password or contained a form.
Expect Google to begin warning users about more security issues as it pushes toward a global use of HTTPS.
The HTTPS process is a key exchange system where only the website and the browser hold the necessary keys to unlock the data transmitted between them. HTTPS has no bearing on data security that is stored at either the user end or the server end. It relates only to transmission, so makes it less likely that interception can result in a data hijack.
If considering a migration from HTTP to HTTPS be aware that this process involves changing all URLs in your website and is therefore technically an SEO reset, however if pages are properly redirected using 301s then Google will typically preserve rank positions during the changeover.