Educause Security Discussion mailing list archives
Re: Federal/State standards for data encryption via the WWW
From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Tue, 15 Apr 2003 06:40:40 -0400
Hi Nick: I am not aware of any laws that require encryption per se, but policy/security folks might want to keep their attention closely honed to how encryption will become a component of the "reasonableness" standard for policies, procedures and guidelines in electronic security under HIPAA and the Financial Services Modernization Act. While the security regulations do not go into effect for a couple more years, it is important to stay tuned and ahead of the game if resources allow in order not to become a test school for what this very general standard means in practice. I suspect that such a general standard, undelineated by specifics such as encryption, will generate a "keep up the Jones'" kind of effect throughout industry and higher education in the area of network security. Because FERPA meets or supercedes the privacy regulations of HIPAA and FSMA (which will both be in effect by May 23, 2003 -- HIPAA's privacy regulations having gone into effect yesterday) one suggestion is to adopt the standards of the leading institutions in FERPA compliance, particularly in the storage and transmission of electronic educational records. With this query it well may be that you may be a leader in raising that bar! Tracy Mitrano At 05:34 PM 4/14/2003 -0400, you wrote:
All, I am a member of the IT staff at Case Western Reserve University and I am in the process of developing a proposal for utilizing SSL on several of our web applications to encrypt personal information (i.e. SSN, credit card #s, etc.). I am aware that a need exists to encrypt certain types of information while we transmit it via the WWW, however, I am not aware of any federal of state standards surrounding this issue. Ideally, I am hoping to find a document detailing the type of information that warrants encryption, and also the level of encryption necessary. For example, does one need to encrypt an SSN at 40-bit or 128-bit prior to transmission over the internet? Also, if anyone is aware of the legal implications, either at the state or federal level, I would appreciate some discussion surrounding this as well. Thank you, Nick Fischio ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Federal/State standards for data encryption via the WWW Nick Fischio (Apr 14)
- <Possible follow-ups>
- Re: Federal/State standards for data encryption via the WWW Tracy Mitrano (Apr 15)
- Re: Federal/State standards for data encryption via the WWW Scott Bradner (Apr 15)
- Re: Federal/State standards for data encryption via the WWW Ken Shaurette (Apr 15)