The House of Representatives has passed a bill that would set a nationwide rule similar to California's SB 1386 (Cali's data breach notification law, as some call it). Among other similarities, it grants safe harbor for any companies that use data encryption to minimize the risk of a security breach of people's personal information.
While I'll have to provide a more in-depth look at the law once it passes the Senate as well, at first glance it looks like the House has put some effort into fortifying certain aspects of data breach laws that were lacking. What types of fortifications? For example, when Nevada first passed their data breach notification law, criticism was directed at legal language that appeared to condone the use of, say, data compression programs as a data protection measure, because compression software technically renders information unreadable. In other words, if you lost zipped data, you were given a legal exemption from sending out notifications. This, despite the fact anyone would be able to unzip (uncompress) the data quite easily with freely downloadable tools. (I'm not a lawyer, but I've lived long enough to know that winning or losing a case in court can depend on the placement of a comma, so I know language is pretty darn important.) Other criticisms to "encryption laws" in general point out that not all encryption is the same. In-house encryption: Good encryption algorithms are surprisingly hard to create, with only a handful providing adequate levels of data security. Companies may decide to go with an unproven, unvetted one because it's cheaper. Nominally, encryption has been used in such a case, but it does not follow the spirit of the law (and companies, in my experience, tend to lean towards following the letter, not the spirit, of the law). Strong encryption: An encryption scheme that provides more than adequate protection today may not be able to do so tomorrow due to technological progress. Will the law have to rewritten every time there is a technological breakthrough? However, the House bill seems to have gotten around those issues. Among other things: Encryption will be considered adequate if "the method of encryption or such other technology or methodology is generally accepted by experts in the information security field." If there is no general consensus on a particular type of encryption or other data security method, then there is no exemption. On top of this, a Federal board is going to review data protection technologies and methodologies on a biannual basis (I'm assuming that's every two years, as opposed to twice a year), taking in recommendations from "experts and established standard setting bodies." The above will probably raise a bunch of concerns of their own as well, such as the possibility that industry bodies--usually composed of the biggest companies with a profit motive--muscling out up-and-coming technologies and whatnot (you know, just general concerns that seem to repeat in industry after industry, time after time). But, if encryption software like AlertBoot is to be used and mandated by the Feds, it looks like a step in the right direction, regardless.
While I'll have to provide a more in-depth look at the law once it passes the Senate as well, at first glance it looks like the House has put some effort into fortifying certain aspects of data breach laws that were lacking.
What types of fortifications? For example, when Nevada first passed their data breach notification law, criticism was directed at legal language that appeared to condone the use of, say, data compression programs as a data protection measure, because compression software technically renders information unreadable.
In other words, if you lost zipped data, you were given a legal exemption from sending out notifications. This, despite the fact anyone would be able to unzip (uncompress) the data quite easily with freely downloadable tools. (I'm not a lawyer, but I've lived long enough to know that winning or losing a case in court can depend on the placement of a comma, so I know language is pretty darn important.)
Other criticisms to "encryption laws" in general point out that not all encryption is the same.
However, the House bill seems to have gotten around those issues. Among other things:
The above will probably raise a bunch of concerns of their own as well, such as the possibility that industry bodies--usually composed of the biggest companies with a profit motive--muscling out up-and-coming technologies and whatnot (you know, just general concerns that seem to repeat in industry after industry, time after time).
But, if encryption software like AlertBoot is to be used and mandated by the Feds, it looks like a step in the right direction, regardless.
Related Articles and Sites:http://fcw.com/Articles/2009/12/10/Web-House-passes-national-data-breach-bill.aspx?Page=1http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h2221eh.txt.pdf