Slashdot Mirror
National Data Breach Law Advances
Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."
Comment Redacted
Approved for Public Release
The law would be able to benefit us and punish corporate greed and misbehavior when it comes to data protection but thanks to the corporate interests in the pockets of our lawmakers this law has been made ineffective. The law probably doesn't even specify what punishment would be affected and if it does it's probably so small that most corporations would rather pay it than implementing the technology it requires to satisfy the law. It would probably be even harder to find punishments or personal liability of the corporate officers that make decisions around the compliance with the words. And as it advances through several other levels of lawmakers (house, president, back to congress, rewriting, ...) it will probably become even more bland.
If the law were to affect us, simple peasants and benefit corporate interests when breached, you could bet on it that long prison sentences and fines would be involved with it as is the case with the DMCA, ACTA and general 'intellectual property' laws.
Custom electronics and digital signage for your business: www.evcircuits.com
"I'm sorry, but we cannot disclose such an event because the data was indeed encrypted... in our new and highly-advanced ROT-0 encryption algorithm."
Quo usque tandem abutere, Nimbus, patientia nostra?
Sounds like they're saying that putting a BIOS password on a laptop means they don't have to tell anyone the next time they lose 500 million social security records, huh? Or heck, if BIOS passwords are too difficult, it could always just have user accounts. Those count as "access controls", too.
Combined with the idea of the government managing our health care, I'm not terribly encouraged by the idea.
Business as usual. Congress is beholden to corporate America. Bend over little guy and if you're lucky, you get some KY.
It's NOT me! It's the meds! I'm on 1000mg of Fukitol.
rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard
Doesn't ISO (International Organization for Standardization) have... standards for these kinds of things?
Industry standards are the corporate version of "all the other kids are doing it".
And seriously, I don't think self-regulation (aka industry standards) is going to cut it for data security.
[Fuck Beta]
o0t!
That's what this does: "S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms." It's akin to the Audit the Fed bill was rendered harmless by allowing the federal reserve to black-out names of persons/organizations that received money. It's meaningless.
I honestly don't understand Congresscritters who sell-out like this. Is keeping their job so important that they'd bend to the will of their corporate donaters and ignore their basic "don't be evil" morals?
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Dude, if you own stock, you ARE the corporation...
This is my sig.
It looks to me (perhaps naively) that the exemption might be well-intentioned. But yeah, they got it wrong. They're looking at the notification as somehow a punishment, and if the accidental leaker basically tried to do the right thing, then there's no reason to "punish" them by embarrassing them.
But is that really the point? If your information gets out, nobody gives a damn whether the leaker did what all the other lemmings did. What you care about, is whether whatever they did -- whether it's a standard industry practice or not -- will prevent the leaked data from being useable. There are lots of industry standards but if you actually work in the industry or understand tech stuff, then you know that many of them are pretty stup-- ineffective.
The exemption should totally ignore the idea of what is considered best practices, and just ask: can the information be used? If it can, then notification should be required. If the information is safe, then don't worry too much.
now all the stupid spammers have to do is flash their 12 for a dollar gov't I.D.'s and they're home free.
Smoking cures cancer. Smoking also cures stupidity. check darwinawards . com for some stupid stuff
I wonder how this would change how courts view peoples' expectations of privacy with regard to their data. It sounds like this kind of measure could be used to help reinforce the need for warrants for the authorities to search the data?
All this will really do is further increase the costs of good and services. Isn't it great when government gets involved?
S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.
In essence, this means the only companies required to report a data breach are the ones that keep their information in a publicly facing database with no authentication.
that are widely accepted as an effective industry practice
Windows is "widely accepted as an effective industry practice"; that doesn't make it so. Most people are not very good at security and will "accept" stupid practices.
I am not sure the proposed law does much if redaction is all it takes to get a pass. From Law.com:
Read more...
"Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.'"
I think that the whole purpose of this is to cover things like storing passwords, etc., as hashed data. That's something I tried to get into Virginia's data breach law (and will probably give it a shot again this year), but try explaining the concept of "cryptographic hashes" to legislators who are mostly lawyers. Three guys on the subcommittee got it (engineers and tech guys), but it was WAY over everybody else's heads.
And it's not just the legislators. the LexisNexis lobbyist went ballistic over the idea until she talked to somebody in her IT department, because she didn't understand what was going on.
I understand what this language is supposed to do, but it's just poorly crafted.
I for one welcome our ROT13 encoding overlords.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Encryption is not a cure all for security needs. It is merely a tool, similar to locks on the door, guards with M16s, and CCTV cameras. Poorly implemented, it could mean little to a clued attacker, and businesses need to realize that the clued attackers are far more common that they think.
One example: Say someone uses the hardware encryption on a tape drive. Tape drives can have encryption set in multiple ways. It can be manually set for all tapes, or the backup application can manage keys and set the encryption pet tape. If an organization is slipshod about the way they use the encryption and use one key for all tapes, and have that key information written on the proverbial slip of paper on the monitor, then an attacker can grab the tapes, perhaps grab a tape drive or buy one, and decrypt the info to their hearts content. Compare this to an organization which uses more stringent backup procedures so that even if a tape is stolen by an insider, it won't be decodable.
Another example: BitLocker. If implemented right, BitLocker is solid against most known threats (avenues like rubber hoses and RAM scanning via IEEE1394 are different). However, if someone installs BitLocker and then disables all key protectors, to a competant attacker, the BitLocker protection is dealt with. Same with people using BitLocker on machines without TPMs using USB flash drives, and not making sure the flash drive is stored securely.
There are various implementions of encryption. ECB is a bad version (because an attacker can figure out what a block matches to). A good implementation might use multiple diffusers and an algorithm like XTS so an attacker can't compare sector 55 with sector 157 and determine if the contents are similar. So, even though a program might use AES, if salts and other crypto concepts are not used, it severely weakens security.
Finally, TrueCrypt. If someone thinks that TrueCrypt fixes all their security issues and doesn't concern themselves with attacks over the wire, an attacker can either slap a keylogger on a machine, or just read the volume decryption keys from memory, then at a later date grab the disks if there is too much data to fetch from remote. If TrueCrypt is used with proper protection against network attacks (firewall, etc.) then it provides excellent protection.
I am concerned that a law exempting breaches from being disclosed would only work in the blackhat's favor. In theory, someone could rot13 the data on the drive, or AES it with an all zero key to make the security that comes with encryption meaningless.
"Sure, Ryan and his boys can make it hack-proof. But that don't mean we ain't gonna hack it."
Veritas patesco per quaestio questio. Truth is revealed through questions.
You'd think that large corporations would already have incentive to secure their data, aside from being required to do so. I would imagine that the cost of taking some basic measures to up your game would be much cheaper than paying out large sums of money in lawsuits to people who had their credentials compromised. Simple things like full drive crypto on laptops, or sanitizing database inputs to prevent SQL injection are not difficult to do, yet would prevent against a laptop theft from a car or someone dumping your entire database. Cryptography is good, but not invincible. Motivated attackers can use distributed cracking tools, rainbow tables, or merely exploit a weak avenue and wait for password re-use. I'd like to see requirements for companies notifying individuals if there has been a breach, but I'd also prefer that simple security measures were put in place so that disclosure laws didn't need to be invoked very often.
The intention isn't to make everything 100% secure at first. That just wouldn't be feasible. The way I see it, this might be very efficient in improving the overall situation over time.
You can get yourself exempt from a lot of the responsibility by implementing encryption? What kind of a manager would not do their best to achieve that? There needs to be some significant carrot like that to encourage the managers to really want it.
And as you are going to implement some practices regarding them anyways, you could just as well do it decently (put a bit more money into research, consultants, etc., produce a few whitepapers... Get some manager cred. for a succesful operation.). Not perfectly (money doesn't guarantee quality, as we well know), but enough to improve things from what they were.
The "widely accepted industry standards" means that the worst companies of the lot don't qualify so this encourages them to improve their standards. When the worst companies always have the interest in improving their standards, it could throw the industry to very slow but steady loop of improving quality.
Yeah, this isn't a silverbullet that fixes everything. I don't think that there could be anything like that. But this has some serious potential to encourage companies to improve in the area.
Just slap some DRM on the data; that's always worked to keep people out in the past.
0x09F911029D74E35BD84156C5635688C0
Absolute power corrupts absolutely
A few years ago, at one of the last National Information Security Systems Conference meetings, one of the speakers noted that for 30+ years, people had been trying to make multilevel secure databases, with lots of very clever methods tried.
All these efforts failed.
It was found that you could keep all those secrets securely, but performance in retrieving any of them went off a cliff. If you wanted good performance, there were always open channels.
The relevance is that Nature may be trying to tell us here that keeping too many secrets at a time and still use them quickly is an infeasible thing. Encryption is one way to do access control, and unless the key handling is discussed, it tends to be snake oil. Consider that encrypting your giant database of sensitive info with a, say, 512 bit key and the best algorithm you can find still means that it takes only 128 characters of hex to hold that key. This small key can be written on a slip of paper and carried out, or handled with stego to foil inspectors who empty pockets/purses. If you lose the giant database, and believe all is well because it is strongly encrypted, if one of a myriad of folks who need access to the data legitimately manages to get a copy of the key and spirits it out of your organization, that data is lost. Point is that people tend to watch encrypted data less than cleartext data, believing it to be safe. Yet if a key for it is widely enough needed, it will be an Achilles' heel of the scheme and the crypto can actually facilitate theft.
The main lesson that has been ignored is that most of the information is sensitive because it is abused as authentication signals, rather than merely identification. Your phone number is (mostly) not sensitive because nobody expects that only YOU can possibly know it. Now, with the continual failing of el cheapo schemes to authenticate, and gradual recognition of the weaknesses of e.g. fingerprints (vulnerable to theft of patterns) and the like, it becomes apparent that some hardware in customer hands, which is not connected to computer networks,is one of the few promising avenues. It must be used with protocols that identify in both directions and which allow transaction signing (since remote access connections are not 100% guaranteed never to be broken into), and the protocols need to be designed so that they work whether eavesdropped upon or not. With such beasts, only the small secrets needed to validate them need be kept, not a myriad of pieces of "personal" information that everyone can get to with a little internet research.
Alas, the government does not seem to understand this and continues to act as though the solution is to find yet larger whips and spears with which to flog those who (again) release this sensitive data, rather than make it intrinsically un-useful to anyone trying to steal identities, money, etc. Various other institutions likewise seem not to "get" this. The effect of such is that fraud of all kinds abounds, is cheap, easy, and hard to prosecute. Also the intellectually out-of-gas legislators and bureaucrats who are floundering about trying to "solve" the problem look likely to succumb to turning the country into a totalitarian regime in their efforts. Lord help them and us if they do; they will not solve the problem, but if a fanatic on any subject who is not inhibited by conscience gets in power, all these "remedies" will come back to haunt millions and perhaps make the efforts of Stalin or the like seem like amateur acts.
Why is the default for filesystems to be unencrypted?
Why is the default for email unencrypted?
In fact, in any current OS, Windows/Linux/OSX, I have to go out of my way to add encryption to either my data or my email. And if I do encrypt my email, I will just get blank stares from the recipients, because their client will not have a clue.
Intron: the portion of DNA which expresses nothing useful.
I'm sure someone will correct me if I'm wrong, but according to the DMCA, bitswapping is considered as encryption. (Remember dvd encryption, and how it only took those guys mere minutes to brute force against it? That made me want to laugh myself to death.) What's to prevent the health care industry from doing the minimum encryption possible? Most corporations are mostly interested in the bottom line, which means the minimum dollar amount required to achieve the minimum compliance level necessary to cover their own ass. And, then they'll probably advertise more on the fact that they're compliant, than on the act of actual compliance. The smoking companies are pretty famous for that. And who's to say that whatever compliance level that is described (if any) in the bills, aren't annually revised to maintain a sufficient level of effort required to still make cracking the encryption impractical. Because, if it's not, then just wait a few years, and the power of technology will let you brute force/crack almost anything. We're already at the point where there's news of 2+ attacks against WPA1. And with personal health info, the average lifespan is 70+ years, so that means you could probably sit on the data for 10 years or more while technology makes cracking the encryption way more trivial than it was when it was encrypted.
The company should be allowed to explain what type of encryption the data was protected with when informing customers of the breach
But should not be relieved of the notification. Mere data encryption does not assure the info has not been exposed and won't be, based on the breach.
So what the hell happens when a corporation improperly releases my information to the Government?
Some hacker in RU or China getting a database dump of my personal information bothers me a lot less than most government agencies getting a database dumps of my personal information. At least the frigen hackers are likely to do a better job of controlling how that information gets spread around than most government agencies.
... our National Data wouldn't be walking around without pants.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.