Institutional Encryption Requirements

When data is encrypted:1. It must be reasonably encrypted to ensure

confidentiality and integrity2. It must be available even in the event the

encryption key is lost, stolen or otherwise unavailable

Confidentiality & Integrity

“Standards” for encryption Defining due diligence for UCLA No rot-13!

Availability

Types of data of concern Things to consider How to approach

Availability: Of what data?Records subject to a California Public Records Act request,

including email not falling under incidental personal useAdministrative book of record data required by applicable law and

policyTransient book of record data, e.g., original data created on a

laptop that is book of record until it is transferred to a main database

Data with under a legal obligation, such as:Non-book of record data (i.e., copies) that the University is under legal

obligation to segregate, such as copies of data under a duty to preserve (e-discovery)

Research data subject to a contracts and grants requirementData whose unavailability will cause some other institutional

impact (e.g., information relevant to a patent dispute)

Availability: Things to consider 1Availability is not a new requirement!It is driven by many legal obligations, including the

California Public Records Act that speaks to transparency and accountability of public institutions.

Availability: Things to consider 2Privacy and cultural concernsIntertwining with non-consensual access protocolNative encryption in applications / databasesNative encryption of laptopsTrend toward ubiquitous native hard disk encryption

Availability: How to approachEncryption key management