Using Encryption Garners Exemption For Data Breach Notification

Combat Wombat writes with this excerpt from the Register: "New data breach rules for US healthcare providers have come under criticism from a security firm that specialises in encryption. As part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which comes into effect from 23 September, health organisations in the US that use encryption will no longer be obliged to notify clients of breaches."

Re:The actual document

[fluffy99]

Congratulations, you're one of the few people that read the article or the document itself. My take on this is that if end-end encryption was used, meaning the actual files lost were still securely encrypted and the keys were not compromised, then the data owner does not have to report it as compromised data. Sounds reasonable to me.

The ACT is also a huge motivator for these agencies to implement encryption in a secure manner, thereby avoiding the whole mess that happens every time a laptop gets stolen and they don't know what files were actually on it.

Re:XOR!

and I don't either. It's the key management that is the weak point. 10-to-1 the people who claim exemptions under this rule will lose a laptop in the same bag as the usb key that decrypts the whole mess...