Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

Fri, 03 Jun 2005 04:08:32 -0700 

Posted on cryptography@metzdowd.com:


<http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>

EWeek


Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
May 31, 2005
 By   Caron Carlson

Spurred by the ongoing flood of sensitive data breaches this spring, nearly
a dozen states may have breach notification laws on their books by summer.
In turn, makers of security software and companies in several other
industries are pressuring Capitol Hill for a federal law pre-empting the
states' measures.

In Congress, more than a half-dozen bills requiring a range of data
security measures and breach notification rules are pending, and at least
two more are slated for introduction in coming months.
Here is a suggestion for an encrypted data exception based on reasonable key management principles: 

--------------------
Sec xyz) The [breach notification requirement set forth in section ...] does not apply to [breached data portions] for which the following conditions are demonstrably met:
a) the [breached data portion] is in an encrypted form using an encryption algorithm and an encryption key that can be shown to be [resistant / comptatible or equivalent to NIST recommended practice for encrypting classified data],
b) the said encryption key has always been under the sole control of the [data originator],
c) the [data originator] is in a position to retire every copy of the said encryption key from operations, and
d) the [data originator] takes all resaonable steps to so retire every copy of the said encryption key from operations as soon as the [data breach event] is known to [the data originator], and completes such retirement within [a delay e.g. the same delay as for notification].
The evidence that conditions a) to d) are met shall be [kept for auditor review / filed with an incident report otherwise mandated] 

--------------------

Is that actually a reasonable key management principle?

Is it possible the the US law-makers adopt such sensible approaches?

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to