Is encryption required for compliance with current privacy and security laws?

I'll give you the customary analyst/lawyer answer, it depends. Some of the regulations...

I'll give you the customary analyst/lawyer answer, it depends. Some of the regulations, like HIPAA and Graham Leach...

Bliley, require you to perform a risk analysis on your environment. So, you may or may not conclude that encryption is necessary based on your findings.

Some of the state breach notification laws, like California's SB 1386, say that unencrypted personal information falls within the scope of notification. So, if a breach occurs, or is suspected to have occurred, and everything is encrypted, you may not have to report the incident to the information owners. But, if it's unencrypted, that's when you'll have to worry about it. It varies from state to state, so you've definitely got to do some research in this area. Even with SOX, it could be argued that financial controls may include storage encryption.

So, it all depends on the particular scenario, the size of the organization, whether or not you are a credit card merchant for PCI, etc. There needs to be someone in every organization that can look at these laws and say what's what and put you on the right track.

Check out the entire Storage Encryption FAQ guide.

This was last published in October 2007

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.