Federal/State standards for data encryption via the WWW

[Nick Fischio <nsf2 () CWRU EDU>]

All,

I am a member of the IT staff at Case Western Reserve University and I am in the process of developing a proposal for 
utilizing SSL on several of our web applications to encrypt personal information (i.e. SSN, credit card #s, etc.).  I 
am aware that a need exists to encrypt certain types of information while we transmit it via the WWW, however, I am not 
aware of any federal of state standards surrounding this issue.  Ideally, I am hoping to find a document detailing the 
type of information that warrants encryption, and also the level of encryption necessary.  For example, does one need 
to encrypt an SSN at 40-bit or 128-bit prior to transmission over the internet?

Also, if anyone is aware of the legal implications, either at the state or federal level, I would appreciate some 
discussion surrounding this as well.  

Thank you,
Nick Fischio

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.