Monday, November 17, 2008
Encryption and the Law
Encryption technology is so commonplace, one might think that it would be required by basically all information security laws and regulations. However, as discussed in the comments to yesterday's post, encryption isn't even required by HIPAA, one of the most well known information security laws on the books. Well, as was the case with data breach notification laws, states are stepping up to fill the void left by the Federal Government. For example, as discussed in this post at The Email Admin Massachusetts is set to implement legislation requiring encryption of personal data for its residents (rule here). It is this kind of law (+ private rights of action) that I was referring to when I said if people want legal protection they should work to get new laws passed. The Federal Government is slow, and generally lags far behind. If consumers really want to make a change, the place to do it is at the state, not the federal, level.