Institutional Encryption Requirements

1. Institutional Encryption Requirements When data is encrypted: It must be reasonably encrypted to ensure confidentiality and integrity It must beavailable even in the event the encryption key is lost, stolen or otherwise unavailable

2. Confidentiality & Integrity “Standards” for encryption Defining due diligence for UCLA No rot-13!

3. Availability Types of data of concern Things to consider How to approach

4. Availability: Of what data? • Records subject to a California Public Records Act request, including emailnot falling under incidental personal use • Administrative book of record data required by applicable law and policy • Transient book of record data, e.g., original data created on a laptop that is book of record until it is transferred to a main database • Data with under a legal obligation, such as: • Non-book of record data (i.e., copies) that the University is under legal obligation to segregate, such as copies of data under a duty to preserve (e-discovery) • Research data subject to a contracts and grants requirement • Data whose unavailability will cause some other institutional impact (e.g., information relevant to a patent dispute)

5. Availability: Things to consider 1 • Availability is not a new requirement! • It is driven by many legal obligations, including the California Public Records Act that speaks to transparency and accountability of public institutions.

6. Availability: Things to consider 2 • Privacy and cultural concerns • Intertwining with non-consensual access protocol • Native encryption in applications / databases • Native encryption of laptops • Trend toward ubiquitous native hard disk encryption

7. Availability: How to approach • Encryption key management