Educause Security Discussion mailing list archives

Re: Federal/State standards for data encryption via the WWW

From: Tracy Mitrano <tbm3 () CORNELL EDU>
Date: Tue, 15 Apr 2003 06:40:40 -0400

Hi Nick:

I am not aware of any laws that require encryption per se, but
policy/security folks might want to keep their attention closely honed to
how encryption will become a component of the "reasonableness" standard for
policies, procedures and guidelines in electronic security under HIPAA and
the Financial Services Modernization Act.  While the security regulations
do not go into effect for a couple more years, it is important to stay
tuned and ahead of the game if resources allow in order not to become a
test school for what this very general standard means in practice.  I
suspect that such a general standard, undelineated by specifics such as
encryption, will generate a "keep up the Jones'" kind of effect throughout
industry and higher education in the area of network security.

Because FERPA meets or supercedes the privacy regulations of HIPAA and FSMA
(which will both be in effect by May 23, 2003 -- HIPAA's privacy
regulations having gone into effect yesterday) one suggestion is to adopt
the standards of the leading institutions in FERPA compliance, particularly
in the storage and transmission of electronic educational records.  With
this query it well may be that you may be a leader in raising that bar!

Tracy Mitrano







At 05:34 PM 4/14/2003 -0400, you wrote:

All,

I am a member of the IT staff at Case Western Reserve University and I am
in the process of developing a proposal for utilizing SSL on several of
our web applications to encrypt personal information (i.e. SSN, credit
card #s, etc.).  I am aware that a need exists to encrypt certain types of
information while we transmit it via the WWW, however, I am not aware of
any federal of state standards surrounding this issue.  Ideally, I am
hoping to find a document detailing the type of information that warrants
encryption, and also the level of encryption necessary.  For example, does
one need to encrypt an SSN at 40-bit or 128-bit prior to transmission over
the internet?

Also, if anyone is aware of the legal implications, either at the state or
federal level, I would appreciate some discussion surrounding this as well.

Thank you,
Nick Fischio

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/memdir/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.

Current thread:

Federal/State standards for data encryption via the WWW Nick Fischio (Apr 14)
- <Possible follow-ups>
- Re: Federal/State standards for data encryption via the WWW Tracy Mitrano (Apr 15)
- Re: Federal/State standards for data encryption via the WWW Scott Bradner (Apr 15)
- Re: Federal/State standards for data encryption via the WWW Ken Shaurette (Apr 15)