requires data collectors to use encryption if they are transmitting personal information outside of their business network
must encrypt the data if it is sent externally via email or any other electronic transmission
helps protect data while it is being transferred from one entity to another
excludes facsimiles (fax) from the transmission encryption requirements
Encryption for data at rest
requires data collectors to encrypt personal information on any data storage device that is moved beyond the technical or physical controls of their business
means that they must encrypt any storage device that leaves the business location
must encrypt backup tapes containing personal information that they send to an off-site storage facility
helps protect data if the storage media is lost or stolen
Key Aspects
encryption rule is novel because of its breadth
covers data when it is stored and when it is transmitted
law is also interesting because of how it defines encryption
data collectors must use encryption technologies adopted by a standards-setting body
references the Federal Information Processing Standards
technology used must make the personal information unreadable
requires that data collectors use good cryptographic key management practices to protect encryption keys
requires data collectors to use key management practices created by a standards setting body
specifically refers to NIST standards
Liability
data collector that complies with the law is not liable for damages resulting from a security breach