National Data Breach Law Advances

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."

Oh, this will be easy...

[Penguinisto]

"I'm sorry, but we cannot disclose such an event because the data was indeed encrypted... in our new and highly-advanced ROT-0 encryption algorithm."

To Summarize Parent:

[NoYob]

Business as usual. Congress is beholden to corporate America. Bend over little guy and if you're lucky, you get some KY.

Corporate interests?

[tjstork]

Dude, if you own stock, you ARE the corporation...

Re:Why industry standards?

Especially when security is a measure of current technology. Encryption levels that today render data "undecipherable" will not remain constant over time. Look at how many techniques have been rendered useless over time. Even high bit level means little because of possible flaws in technique, not even mention the possibility of simply storing data and waiting for quantum computing to become commercial.