in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Netherlands Encryption: Dutch Government Proposes Stricter Data Breach Notification Law

It looks like the Netherlands will get a greater impetus for the use of encryption software sooner than later.  According to many sources, the Netherlands' parliament has in front of it a proposal for reporting data breaches to the Dutch Data Protection Authority (DPA or CBP, College Bescherming Persoonsgegevens).  Failure to comply with the proposed legislation could mean a monetary penalty of up to EUR 450,000.

DPA Overseeing Breaches

The newly suggested law, if it passes, would give oversight of data breach notifications to the DPA.  Currently the ACM (Authority for Consumers and Markets; the Netherlands' consumer and competition regulator, akin to the US's FTC) is in charge when it comes to breach notifications.

Furthermore, the new legislation proposes a change in who needs to report data breaches.  Under the new law all organizations, both public and private, will have to report a data breach to the overseeing authority.  Furthermore, according to twobirds.com, for breaches,
that may have a negative impact on the data-subjects’ privacy, [organizations] will have to [notify] these data subjects as well
The site further goes to note that,
This implies that the data subjects will not have to be notified if the controller has encrypted the data in an appropriate manner, i.e. in such way that non-authorised persons will not be able to access the data.
Note how it reads "encrypted the data in an appropriate manner."  The implication here is that you can't just use any encryption.  Failure to follow the law subjects organizations to a maximum penalty of 450,000 euros.

Examples of what types of data breaches might be subjected to the law are given, per the site twobirds.com, and the DPA promises to issue guidelines.

What Kind of Encryption?

So, if it cannot be just any kind of encryption, what kind of encryption would satisfy the condition of "encrypted in an appropriate manner"?  Obviously, it will depend on the situation.  If you are sending something over the wires (data in motion), the required encryption will be different from disk encryption for data-at-rest.

For the latter, at least, people should be looking for a minimum encryption strength of AES-128.  It is not only the official encryption algorithm for government secrets, it has been studied (and is being studied) by many for backdoors and weaknesses.  The conclusion is that the algorithm is extremely secure and will be for years to come.

In addition to the above, it might be useful to use encryption that has been FIPS 140-2 validated.  Although FIPS is an American standard meant for non-military federal government data, it must be recognized that sensitive personal data is the same regardless of which country one happens to be in.  As long as you're looking to protect everyday yet sensitive data, one couldn't do much better than FIPS
Related Articles and Sites:
http://www.twobirds.com/English/News/Articles/Pages/netherlands_legislative_proposal_general_breach_notification.Aspx
http://www.telecompaper.com/news/dutch-govt-proposes-data-breach-notification-requirements--952140
<Previous Next>

Police Encryption: Detective's Stolen Laptop Triggers Data Breach Notification

Encryption Software Vs. Physical Security: USB Falls Off Lanyard, Triggers HIPAA Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.