Is encryption required for compliance with current privacy and security laws?


I'll give you the customary analyst/lawyer answer, it depends. Some of the regulations, like HIPAA and Graham Leach Bliley, require you to perform a risk analysis on your environment. So, you may or may not conclude that encryption is necessary based on your findings.

Some of the state breach notification laws, like California's SB 1386, say that unencrypted personal information falls within the scope of notification. So, if a breach occurs, or is suspected to have occurred, and everything is encrypted, you may not have to report the incident to the information owners. But, if it's unencrypted, that's when you'll have to worry about it. It varies from state to state, so you've definitely got to do some research in this area. Even with SOX, it could be argued that financial controls may include storage encryption.

So, it all depends on the particular scenario, the size of the organization, whether or not you are a credit card merchant for PCI, etc. There needs to be someone in every organization that can look at these laws and say what's what and put you on the right track.

Check out the entire Storage Encryption FAQ guide.

04 Oct 2007

Related glossary terms

Terms from Whatis.com − the technology online dictionary
Data storage compliance and archiving

Related Resources