--- begin forwarded text
Date: Thu, 2 Jun 2005 14:18:42 -0400 To: Philodox Clips List <[EMAIL PROTECTED]> From: "R.A. Hettinga" <[EMAIL PROTECTED]> Subject: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills Reply-To: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] <http://www.eweek.com/print_article2/0,2533,a=153008,00.asp> EWeek Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills May 31, 2005 By Caron Carlson Spurred by the ongoing flood of sensitive data breaches this spring, nearly a dozen states may have breach notification laws on their books by summer. In turn, makers of security software and companies in several other industries are pressuring Capitol Hill for a federal law pre-empting the states' measures. In Congress, more than a half-dozen bills requiring a range of data security measures and breach notification rules are pending, and at least two more are slated for introduction in coming months. These measures-including one under consideration by Rep. Cliff Stearns, R-Fla., and one in the draft stages by Rep. Deborah Pryce, R-Ohio-illustrate one of the most contentious questions in the debate: Should there be a notification exemption for businesses that encrypt their data? Not surprisingly, industries for the most part are pushing for an encryption exemption to notification, a safe harbor that is included in California SB (Senate Bill) 1386, a notification law that went into effect in July 2003. The growing security software industry, a major ally in this effort, is trying to convince lawmakers that when encrypted data is stolen, the theft poses no meaningful harm to consumers. "If the data is encrypted, it's gibberish. They don't know what it is. They can't use it," said Dan Burton, vice president of government affairs for Entrust Inc. Read more here about the theft of MCI data and its effect on the debate over encryption. Some data security experts contend, however, that an encryption safe harbor could reduce data holders' incentives to implement strong protective measures in the first place. Criticizing the California notification law, Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., of Mountain View, Calif., said it lets data holders bypass disclosure without necessarily protecting the data. "You can encrypt the data with a trivial algorithm and get around [the law]," Schneier said. "If you can get around a law by doing something stupid, it's a badly written law." Entrust supports an encryption exemption to notification but not without other security requirements, said Chris Voice, CTO at the Addison, Texas, company. "Like any technological approach, it's going to require more than just encrypting the data," Voice said. "I think security controls will have to be in place regardless." Click here to read about anti-spyware bills moving to the Senate. Even strong encryption theoretically can be broken, but it requires resources and effort that thieves are highly unlikely to expend, advocates of the safe harbor argue. That argument does not appease consumer representatives. "We may not be comfortable having our information out there, even in gibberish format," said Susanna Montezemolo, policy analyst at the Consumers Union, in Washington. "Encryption shouldn't be the issue. We shouldn't have to define potential harm and risk." Acknowledging the political influence of the industries lobbying for the safe harbor, however, Montezemolo said that a breach notification law with a safe harbor is better than no law at all but that the safe harbor must be narrowly tailored so as not to be an excuse for shoddy security. -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' _______________________________________________ Clips mailing list [EMAIL PROTECTED] http://www.philodox.com/mailman/listinfo/clips --- end forwarded text -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]