Contributing Editorial: Encryption And Encryption Key Management Becoming Mandates To Provide 'Safe Harbor'

By Jerome Wendt and Howard Haile, DCIG LLC

In a previous blog entry we discussed different technologies available to encrypt backup tapes and the unlimited liabilities associated with the breach of an unencrypted backup tape. Making sure the data on that tape is encrypted, however, is not an automatic cure-all. After all, encryption is only as strong as your key management and, in some states, encrypting backup tapes is no longer enough to protect your company from future risks. In these circumstances, proper key management needs to become a critical part of any data protection strategy or you will still face the lawsuits and public scrutiny you sought to avoid by deciding to encrypt the data in the first place.

Many states continue to expand their data breach legislation and most new state laws mandate customer notification if a data breach occurs. Many times companies are exempt if they have deployed tape encryption as liability protection against data loss, but that is not always enough. Some states, such as Pennsylvania, mandate proper key management as well as encryption to provide "safe harbor." So, from a liability standpoint, proper key management can be as important as the encryption itself. From a data protection standpoint, your encryption keys need to be protected as much as your most important data.