[Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

Thierry Moreau thierry.moreau at connotech.com
Fri Jun 3 00:12:31 EDT 2005 

Posted on cryptography at metzdowd.com:

> <http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>
> 
> EWeek
> 
> 
> Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
> May 31, 2005
>  By   Caron Carlson
> 
> Spurred by the ongoing flood of sensitive data breaches this spring, nearly
> a dozen states may have breach notification laws on their books by summer.
> In turn, makers of security software and companies in several other
> industries are pressuring Capitol Hill for a federal law pre-empting the
> states' measures.
> 
> In Congress, more than a half-dozen bills requiring a range of data
> security measures and breach notification rules are pending, and at least
> two more are slated for introduction in coming months.
> 

Here is a suggestion for an encrypted data exception based on reasonable 
key management principles:

--------------------

Sec xyz) The [breach notification requirement set forth in section ...] 
does not apply to [breached data portions] for which the following 
conditions are demonstrably met:

a) the [breached data portion] is in an encrypted form using an 
encryption algorithm and an encryption key that can be shown to be 
[resistant / comptatible or equivalent to NIST recommended practice for 
encrypting classified data],

b) the said encryption key has always been under the sole control of the 
[data originator],

c) the [data originator] is in a position to retire every copy of the 
said encryption key from operations, and

d) the [data originator] takes all resaonable steps to so retire every 
copy of the said encryption key from operations as soon as the [data 
breach event] is known to [the data originator], and completes such 
retirement within [a delay e.g. the same delay as for notification].

The evidence that conditions a) to d) are met shall be [kept for auditor 
review / filed with an incident report otherwise mandated]

--------------------

Is that actually a reasonable key management principle?

Is it possible the the US law-makers adopt such sensible approaches?

-- 

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau at connotech.com


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list