Encryption compliance still the Wild West

Encrypting data is becoming a requirement. How well you need to manage the keys that are used to encrypt the data is still open to debate.

The state of Iowa recently became the 43rd state to pass a data breach law that requires a company to give its consumers notice should the company discover its consumer's personal information is compromised. In states with laws like Iowa, the primary concern is ensuring that data stored to tape is encrypted so in the event the tape is lost or stolen, the data is considered unrecoverable.

Yet some states do not consider encryption alone sufficient to ensure that the data is unrecoverable. Pennsylvania adds a stipulation that companies need to have proper encryption key management policies in place. This guarantees that encrypted data on tape cannot be decrypted should someone manage to get their hands on both the tape and the key used to encrypt it.

Laws like this open up a loophole as to what constitutes proper encryption key management policy. It is no secret that encrypting data stored to tape can be done at a number of points (backup software, tape drive, etc) in the backup process. Yet to encrypt data at any of these points may require no more than providing a one word password to the software to encrypt the data. But whether or not that constitutes a proper key management policy is unclear.

Encryption is becoming a part of the corporate landscape, partly out of necessity and partly because state laws are forcing it upon companies. But laws differ by state and, at this stage in the game, companies cannot assume that just because they have encrypted data or implemented encryption key management that they are either completely protected from future legal liabilities or have complied with the law.

Jerome Wendt is the president and lead analyst at DCIG Inc. You may read his blogs at www.dciginc.com.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.