I’ve been hearing informally from regulators for some time that they are concerned with the view that encryption is a panacea. I agree.
Older encryption algorithms are increasingly likely to be broken given the enormous increase in computing power available to anyone with a credit card (even a stolen one) and an internet connection to Amazon’s cloud services. Several US states and US financial regs do not offer encryption as a safe harbor, but instead state that a risk of harm analysis should be conducted. Regulators will look at an organization’s entire privacy program, including the strength of the encryption used, key management, password strength requirements pushed through group policy and whether your staff tape their passwords to the bottom of their laptops or external drives.
If you don’t believe me, what do you think a regulator reading this article will think.
Think big picture when it comes to your privacy program.