Why Encrypt

Main Content

This document consists of explanations as to why we encrypt data. The screenshots were taken in June, 2010.

Generally, we are obligated to keep confidential data private, and encryption is a tool to accomplish this obligation. The sections below indicate specific direct and indirect reasons why we encrypt data.

  1. SIU Policy
  2. Personal Information Protection Act (PIPA)
  3. Family Educational Rights and Privacy Act (FERPA)
  4. Payment Card Industry Data Security Standard (PCI DSS)
  5. Health Insurance Portability and Accountability Act (HIPAA)
  6. Best Practices
  7. American National Standards Institute (ANSI) Report
  8. Institute of Electrical and Electronic Engineers (IEEE) Policy

1. SIU Policy

SIU Policy directs us to supplement automatic protection of files for sensitive information. Encryption is a method of complying with this policy.

policy that indicates that it is each user’s responsibility to supplement automatic protection for sensitive information

  • Figure 1, SIU Policy - a representation of a web page that shows the policy that indicates that it is each user’s responsibility to supplement automatic protection for sensitive information. See https://oit.siu.edu/about/policies/ for the actual web page.

2. Personal Information Protection Act (PIPA)

The Personal Information Protection Act (PIPA) is a State of Illinois law which defines personal information and mandates that people be notified under certain conditions when a breach of security occurs.

shows part of the policy on PIPA. Notice that encryption mitigates a security breach.

  • Figure 2, PIPA Policy - a representation of a web page which shows part of the policy on PIPA. Notice that encryption mitigates a security breach. See https://policies.siu.edu/policies/prsnlinfoprotectionact.php for the actual web page.

3. Family Educational Rights and Privacy Act (FERPA)

The federal Family Educational Rights and Privacy Act (FERPA) generally tells us that information about a student is private.

federal law protects the privacy of students and that generally we must have written permission to release information about a student.

  • Figure 3, FERPA - a cutout from a web site that summarizes FERPA. You can see that federal law protects the privacy of students and that generally we must have written permission to release information about a student. See the entire web site here: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. Encryption is one method that can be used to protect the privacy of student information.

SIU web site which indicates policy to supplement the federal FERPA regulation

  • Figure 4, SIU FERPA Policy - a representation of an SIU web site which indicates policy to supplement the federal FERPA regulation. See https://policies.SIU.edu/policies/rlseinfo.html for the entire policy.

4. Payment Card Industry Data Security Standard (PCI DSS)

If your area processes credit cards, then you are obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). Two requirements of PCI DSS relate to encryption:

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

See https://www.pcisecuritystandards.org/ for more information about PCI DSS.

5. Health Insurance Portability and Accountability Act (HIPAA)

If your area handles medical information, then you are generally obligated to keep this information protected, as well. summarizes HIPAA regulation about keeping health information protected

6. Best Practices

An information security best practice of defense in depth—applying multiple layers of security controls—indicates that encryption should be utilized as a layer of protection in addition to other layers such as firewalls and intrusion detection systems.

7. American National Standards Institute (ANSI) Report

The American National Standards Institute (ANSI) also addresses encryption. refers to the lack of data encryption as organizational mismanagement and notes that it increases the likelihood of a data breach the potential for identity theft

  • Figure 6, ANSI Report - refers to the lack of data encryption as organizational mismanagement and notes that it increases the likelihood of a data breach the potential for identity theft. See this PDF file for the entire report.

8. Institute of Electrical and Electronic Engineers (IEEE) Policy

The Institute of Electrical and Electronic Engineers (IEEE) considers encryption to be essential for governmental, financial, medical, and industrial operations. representation of the IEEE encryption policy, which considers encryption to be essential for governmental, financial, medical, and industrial operations

  • Figure 7, IEEE Policy - a representation of the IEEE encryption policy.