New State Laws Could Make Encryption Widespread

New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.

Why so expensive

[LordKronos]

The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.

It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.

Corporate interest

[crow]

I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.

[Note: I work for EMC, but have no inside knowledge related to this topic.]

Re:Bad news

[MindKata]

"Information wants to be free."

I don't know about free. Anything but free. This is government admiting they expect widespread monitoring of communications. For example, in the case of the UK, that means all business data will be scanned along with peoples emails, so it makes sense that governments and companies with international offices, are going to be worried their internal email documents are going to be intercepted.

minimal effort

[Wyck]

I wonder if people will simply ROT13 their data for cheap token compliance.

Re:Okay whew

[ShieldW0lf]

Identity theft causes a breakdown in the system that allows a few very rich to wield excessive and arbitrary power while the majority struggles to meet their needs while surrounded by plenty.

I'm not rich. I don't expect to be rich, I don't desire to be rich. To be rich is to stand on the neck of your fellow man and steal his share, and to spend each day ensuring that the exploitation isn't disrupted.

I hope we see more identity theft. This system shouldn't exist, and the sooner it shatters due to its own inherent nature, the happier I will be.

I've got an idea for a much better law. All data must be placed on public servers, like Wikileaks, where anyone can examine it at any time. Anyone attempting to conceal information under any circumstances is guilty of conspiracy and treason. That would make it pretty hard to steal someones identity; you'd be caught for sure.