[Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

R.A. Hettinga rah at shipwright.com
Thu Jun 2 14:28:14 EDT 2005 

--- begin forwarded text


Date: Thu, 2 Jun 2005 14:18:42 -0400
To: Philodox Clips List <clips at philodox.com>
From: "R.A. Hettinga" <rah at shipwright.com>
Subject: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach
	Bills
Reply-To: rah at philodox.com
Sender: clips-bounces at philodox.com

<http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>

EWeek


Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
May 31, 2005
 By   Caron Carlson

Spurred by the ongoing flood of sensitive data breaches this spring, nearly
a dozen states may have breach notification laws on their books by summer.
In turn, makers of security software and companies in several other
industries are pressuring Capitol Hill for a federal law pre-empting the
states' measures.

In Congress, more than a half-dozen bills requiring a range of data
security measures and breach notification rules are pending, and at least
two more are slated for introduction in coming months.


These measures-including one under consideration by Rep. Cliff Stearns,
R-Fla., and one in the draft stages by Rep. Deborah Pryce,
R-Ohio-illustrate one of the most contentious questions in the debate:
Should there be a notification exemption for businesses that encrypt their
data?

Not surprisingly, industries for the most part are pushing for an
encryption exemption to notification, a safe harbor that is included in
California SB (Senate Bill) 1386, a notification law that went into effect
in July 2003. The growing security software industry, a major ally in this
effort, is trying to convince lawmakers that when encrypted data is stolen,
the theft poses no meaningful harm to consumers.

"If the data is encrypted, it's gibberish. They don't know what it is. They
can't use it," said Dan Burton, vice president of government affairs for
Entrust Inc.

Read more here about the theft of MCI data and its effect on the debate
over encryption.

Some data security experts contend, however, that an encryption safe harbor
could reduce data holders' incentives to implement strong protective
measures in the first place. Criticizing the California notification law,
Bruce Schneier, chief technology officer at Counterpane Internet Security
Inc., of Mountain View, Calif., said it lets data holders bypass disclosure
without necessarily protecting the data.


"You can encrypt the data with a trivial algorithm and get around [the
law]," Schneier said. "If you can get around a law by doing something
stupid, it's a badly written law."

Entrust supports an encryption exemption to notification but not without
other security requirements, said Chris Voice, CTO at the Addison, Texas,
company. "Like any technological approach, it's going to require more than
just encrypting the data," Voice said. "I think security controls will have
to be in place regardless."

Click here to read about anti-spyware bills moving to the Senate.

Even strong encryption theoretically can be broken, but it requires
resources and effort that thieves are highly unlikely to expend, advocates
of the safe harbor argue.

That argument does not appease consumer representatives. "We may not be
comfortable having our information out there, even in gibberish format,"
said Susanna Montezemolo, policy analyst at the Consumers Union, in
Washington. "Encryption shouldn't be the issue. We shouldn't have to define
potential harm and risk."

Acknowledging the political influence of the industries lobbying for the
safe harbor, however, Montezemolo said that a breach notification law with
a safe harbor is better than no law at all but that the safe harbor must be
narrowly tailored so as not to be an excuse for shoddy security.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
_______________________________________________
Clips mailing list
Clips at philodox.com
http://www.philodox.com/mailman/listinfo/clips

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list