Posted on cryptography@metzdowd.com:
<http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>
EWeek
Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
May 31, 2005
By Caron Carlson
Spurred by the ongoing flood of sensitive data breaches this spring, nearly
a dozen states may have breach notification laws on their books by summer.
In turn, makers of security software and companies in several other
industries are pressuring Capitol Hill for a federal law pre-empting the
states' measures.
In Congress, more than a half-dozen bills requiring a range of data
security measures and breach notification rules are pending, and at least
two more are slated for introduction in coming months.
Here is a suggestion for an encrypted data exception based on reasonable
key management principles:
--------------------
Sec xyz) The [breach notification requirement set forth in section ...]
does not apply to [breached data portions] for which the following
conditions are demonstrably met:
a) the [breached data portion] is in an encrypted form using an
encryption algorithm and an encryption key that can be shown to be
[resistant / comptatible or equivalent to NIST recommended practice for
encrypting classified data],
b) the said encryption key has always been under the sole control of the
[data originator],
c) the [data originator] is in a position to retire every copy of the
said encryption key from operations, and
d) the [data originator] takes all resaonable steps to so retire every
copy of the said encryption key from operations as soon as the [data
breach event] is known to [the data originator], and completes such
retirement within [a delay e.g. the same delay as for notification].
The evidence that conditions a) to d) are met shall be [kept for auditor
review / filed with an incident report otherwise mandated]
--------------------
Is that actually a reasonable key management principle?
Is it possible the the US law-makers adopt such sensible approaches?
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]