Encryption by Law? If so, what strength or type?

30 pts.
Tags:
cybersecurity
Data privacy
Encryption
privacy
Security
White House Cybersecurity Initiative
Should encryption be explicitly proscribed in Data Security and Provacy legislation like the Massachusetts Data Prvacy Law and the White House cybersecurity initiative? If so, what strength or method? Should there be a minimum strength? What do you think?

Answer Wiki

Thanks. We'll let you know when a new response is added.

Have you examined NIST guidelines? You may take a look here.
Data encryption rules, regulations, guidelines varies by state to state. In some states if the sensitive data is encrypted (does not matter the key length/strength) it is OK.

Please elaborate a bit more and the context?

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • SarahCortes
    Implement encryption that people will use and that does not require a significant amount of management overhead (key management - creation, recovery, lifecycle). It should be cost effective for the population size and user education. Any modern system with a key length of 1024bits or better should be adequate.
    0 pointsBadges:
    report
  • JoeMellott
    I have been looking into the impacts of the MA law, and they specify encryption that uses "... an algorithmic process, or alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key...", which is pretty wide open as far as actual strengths and methods to meet compliance. Further, only data that is transmitted across public networks, wirelessly or stored on laptops needs to be encrypted, so depending on how your organization works this could be a huge deal or trivial. Having the government specify mimimum encryption strengths seems dangerous to me, as they will probably either be unreasonably hard on the little guy or hopelessly behind the times.
    10 pointsBadges:
    report
  • Rklanke
    Every encryption scheme, regardless of key length, assumes strong passwords. If users set the passwords, expect weak (easily remembered, easily entered, and easily guessed) passwords. Dictating encryption strength or mechanism without dictating password strength leads to false confidence.
    1,250 pointsBadges:
    report
  • SarahCortes
    Thx, SbElectric, for your reply. My question regards your opinion of whether and how encryption should be included in legislaiton like the ones I noted in my question. Not exactly asking what the standards are. I can see what the laws say, they are totally vague. I am soliciting input from a broad range of people as to their opinions on this topic. NIST giudelines are great, by the way, which one or ones in particular would you highlight as "encryption" standards? Since tere are hundreds of standards on thet site and they don't have an "encryption" cluster. I'll be interested to know your answer, thx
    30 pointsBadges:
    report
  • SarahCortes
    Troy Tate, thanks, are you recommending the law should explicitly require 1024-bit minimum key length? I'm interested in what we feel the law should specify rather than how anyone recommends interpreting the law. Right now the law is totally vague. JoeMellott seems to be saying the law should not attempt to require encryption because it is not feasible to come up with a reasonable standard. Rklanke seems to agree that specifying encryption in the law is futile since its implementation has so many dependencies and these would also have to beexplicitly specified. SbElectric seems to be unclear but suggesting using a NIST standard. An interesting idea, so I asked, which one? there seem to be hundreds and "encryption" is not a NIST cluster topic. WIll be waiting to hear responses.
    30 pointsBadges:
    report
  • ToddN2000
    I say yes to encryption. Awhile back my bank lost a set of backup tapes that were not encrypted. That made me change banks. If a major bank is not following some standard of security in their data that's just bad. As to how far we go in encrypting data depends. Financial, medical and others definitely. As for your locals stores mailing list probably not. I'd say if you gave any info such as SSN#, Bank account or Credit Card or even birthdate info it should be encrypted. We do not want to make identity theft any easier for the evil doers of the world. All it takes is a few pieces of personal data and it's not to hard to fill in the blanks.
    12,855 pointsBadges:
    report
  • ToddN2000
    Forgot to add something. Coming up with a standard would be hard because not all systems may be set up for the same level of encryption. That may be ok if you exchange data with another business and you have an agreed method in place for data exchange. How do you enforce or monitor the standardized encryption rule if they were in place. What would the penalties be for failure to comply.
    12,855 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following