Encryption by Law? If so, what strength or type?
cybersecurity, Encryption, Massachusetts Data Privacy Law, privacy, Security, White House Cybersecurity Initiative
Should encryption be explicitly proscribed in Data Security and Provacy legislation like the Massachusetts Data Prvacy Law and the White House cybersecurity initiative? If so, what strength or method? Should there be a minimum strength? What do you think?
Software/Hardware used:
Software/Hardware used:
ASKED:
June 14, 2009 1:28 AM
UPDATED:
November 30, 2011 12:43 AM
Answer Wiki:
Have you examined NIST guidelines? You may take a look at http://csrc.nist.gov/
Data encryption rules, regulations, guidelines varies by state to state. In some states if the sensitive data is encrypted (does not matter the key length/strength) it is OK.
Please elaborate a bit more and the context?
To see all answers submitted to the Answer Wiki: View Answer History.
Implement encryption that people will use and that does not require a significant amount of management overhead (key management – creation, recovery, lifecycle). It should be cost effective for the population size and user education. Any modern system with a key length of 1024bits or better should be adequate.
I have been looking into the impacts of the MA law, and they specify encryption that uses “… an algorithmic process, or alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key…”, which is pretty wide open as far as actual strengths and methods to meet compliance.
Further, only data that is transmitted across public networks, wirelessly or stored on laptops needs to be encrypted, so depending on how your organization works this could be a huge deal or trivial.
Having the government specify mimimum encryption strengths seems dangerous to me, as they will probably either be unreasonably hard on the little guy or hopelessly behind the times.
Every encryption scheme, regardless of key length, assumes strong passwords. If users set the passwords, expect weak (easily remembered, easily entered, and easily guessed) passwords. Dictating encryption strength or mechanism without dictating password strength leads to false confidence.
Thx, SbElectric, for your reply. My question regards your opinion of whether and how encryption should be included in legislaiton like the ones I noted in my question. Not exactly asking what the standards are. I can see what the laws say, they are totally vague. I am soliciting input from a broad range of people as to their opinions on this topic.
NIST giudelines are great, by the way, which one or ones in particular would you highlight as “encryption” standards? Since tere are hundreds of standards on thet site and they don’t have an “encryption” cluster.
I’ll be interested to know your answer, thx
Troy Tate, thanks, are you recommending the law should explicitly require 1024-bit minimum key length? I’m interested in what we feel the law should specify rather than how anyone recommends interpreting the law. Right now the law is totally vague.
JoeMellott seems to be saying the law should not attempt to require encryption because it is not feasible to come up with a reasonable standard.
Rklanke seems to agree that specifying encryption in the law is futile since its implementation has so many dependencies and these would also have to beexplicitly specified.
SbElectric seems to be unclear but suggesting using a NIST standard. An interesting idea, so I asked, which one? there seem to be hundreds and “encryption” is not a NIST cluster topic.
WIll be waiting to hear responses.