Encryption is a Safe Harbor . . . No More


I’ve been hearing informally from regulators for some time that they are concerned with the view that encryption is a panacea. I agree.

Older encryption algorithms are increasingly likely to be broken given the enormous increase in computing power available to anyone with a credit card (even a stolen one) and an internet connection to Amazon’s cloud services. Several US states and US financial regs do not offer encryption as a safe harbor, but instead state that a risk of harm analysis should be conducted. Regulators will look at an organization’s entire privacy program, including the strength of the encryption used, key management, password strength requirements pushed through group policy and whether your staff tape their passwords to the bottom of their laptops or external drives.

If you don’t believe me, what do you think a regulator reading this article will think.

Think big picture when it comes to your privacy program.

3 thoughts on “Encryption is a Safe Harbor . . . No More

  1. Encryption is about shifting vulnerabilities and risk reduction. Organizations shift from keeping data in a highly vulnerable/risky location (such as an unencrypted database) to a less vulnerable/risky one (wherever they store the encryption key). This is why privacy is different from security. Security is about risk reduction, whereas privacy is about risk negation.

  2. Can you define “risk negation” as you are using it? Depending on how you respond, I might agree that there is an element of risk elimination in some privacy paradigms (e.g., the EU), but I would suggest that not all organizations take that approach. I would have said that I look to risk reduction in the privacy space as well. Also, I look at security as being one of the pillars of privacy, so an inconsistent approach between pillars is not going to enable success in the long run.

  3. Pingback: HTTPS No Longer Secure??? | Next Practices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s