Thursday, June 02, 2005

Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills

“You can encrypt the data with a trivial algorithm and get around [the law]," Schneier said. "If you can get around a law by doing something stupid, it's a badly written law.”
By Caron Carlson

“Spurred by the ongoing flood of sensitive data breaches this spring, nearly a dozen states may have breach notification laws on their books by summer. In turn, makers of security software and companies in several other industries are pressuring Capitol Hill for a federal law pre-empting the states' measures.

In Congress, more than a half-dozen bills requiring a range of data security measures and breach notification rules are pending, and at least two more are slated for introduction in coming months.

These measures—including one under consideration by Rep. Cliff Stearns, R-Fla., and one in the draft stages by Rep. Deborah Pryce, R-Ohio—illustrate one of the most contentious questions in the debate: Should there be a notification exemption for businesses that encrypt their data?

Not surprisingly, industries for the most part are pushing for an encryption exemption to notification, a safe harbor that is included in California SB (Senate Bill) 1386, a notification law that went into effect in July 2003. The growing security software industry, a major ally in this effort, is trying to convince lawmakers that when encrypted data is stolen, the theft poses no meaningful harm to consumers.

"If the data is encrypted, it's gibberish. They don't know what it is. They can't use it," said Dan Burton, vice president of government affairs for Entrust Inc.

Some data security experts contend, however, that an encryption safe harbor could reduce data holders' incentives to implement strong protective measures in the first place. Criticizing the California notification law, Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., of Mountain View, Calif., said it lets data holders bypass disclosure without necessarily protecting the data.

‘You can encrypt the data with a trivial algorithm and get around [the law],’ Schneier said. ‘If you can get around a law by doing something stupid, it's a badly written law.’

Entrust supports an encryption exemption to notification but not without other security requirements, said Chris Voice, CTO at the Addison, Texas, company. ‘Like any technological approach, it's going to require more than just encrypting the data,’ Voice said. ‘I think security controls will have to be in place regardless.’”

Anti-Spyware Bills Pass House, Move to Senate
“The U.S. House of Representatives last week overwhelmingly passed two separate anti-spyware bills, but as the measures now move to the Senate, legislators will find most of the hard questions unresolved—a familiar scenario in Congress, where similar House bills withered last year following Senate inaction.

The SPY ACT (Securely Protect Yourself Against Cyber Trespass), authored by Rep. Mary Bono, R-Calif., takes the more active approach, requiring a conspicuous notice to users before transmitting spyware.

The SPY ACT largely resembles the Senate's SPYBLOCK (Software Principles Yielding Better Levels of Consumer Knowledge) bill, sponsored by Sens. Conrad Burns, R-Mont.; Ron Wyden, D-Ore.; and Barbara Boxer, D-Calif. The sponsors are awaiting a date for a committee hearing on the bill and hope to have one before the end of the summer, an aide to Burns said.

Alternatively, the Internet Spyware Prevention Act, authored by Rep. Bob Goodlatte, R-Va., focuses on penalties for fraudulent or deceptive behavior without targeting any particular technology—an approach favored by the IT industry.

Goodlatte's bill, which passed the House 395-1, makes it a crime to intentionally access a computer without authorization by causing code to be copied onto the computer and using it for malicious purposes.

From the industry's perspective, the Goodlatte approach avoids the possibility of ensnaring legitimate software downloads, such as security patches.”

I'm afraid we're going to get another CAN-SPAM act. Good only for saving legilators ‘phoney baloney jobs.’ Lets make a movie about it.

We an call it ‘Blazing Firewalls.’…

http://www.eweek.com/article2/0,1759,1822182,00.asp?kc=ewnws060105dtx1k0000599
con·cept: Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills