New Jersey Security Requirements (including encryption of personal information)

A proposed New Jersey regulation that may be come law in 2008. It has very specific requirements around encryption of personal information at rest and in transit. In particular, if these rules pass organizations would be required to encrypt according to the Federal Information Processing Standard (FIPS) recommended standard, which is the Advanced Encryption Standard (AES) 128-bit to 256-bit. This law also has 20 other fairly specific security requirements.

How will these specific requirements related to other State, Federal, International security requirements? Do the specifics in this regulation harken a movement away from a "technology neutral" approach to information security regulation?

Blogged with Flock