How to Design or Review an Encryption Policy

Encryption refers to the process of converting data into a form that is unreadable unless the recipient has a pre-designated algorithm, “key,” and password to convert the information into readable text. Most statutes, regulations, and agencies that require that companies utilize encryption to protect data do not mandate that a specific encryption standard be used. Some statutes do require, however, that companies use an encryption key that is at least 128-bits in length.

When examining whether a company’s use of encryption is reasonable and appropriate for the type of data collected and the risks posed to that data, regulators often examine whether a company utilizes encryption “at rest” and/or “in transit.” Encryption “at rest” refers to encryption applied to data while it is being stored. Encryption “in transit” refers to encryption applied to data while it is being transmitted across a network. Depending upon the type of software being used, and the architecture of a database, encryption at rest may significantly impair the ability of the data to be accessed and used efficiently. 

What to think about when designing, or reviewing, an encryption policy:

1. What types of data does our organization encrypt?

2. Is the data encrypted at rest?

3. Is the data encrypted in transit?

4. What encryption standards are used at rest and/or in transit?

5. Are those encryption standards considered “strong” within the security community?

6. Is there evidence that those encryptions standards have been compromised?

7. Is there a process to review the sufficiency of the encryption standard periodically (e.g., once per year)?

8. Has your organization contractually agreed to maintain a specific encryption standard?

The following provides snapshot information concerning encryption. 

[1] Bryan Cave Survey of State Safeguard Statutes (2015).

[2] Id.

[3] Id.