Slashdot Mirror

← Back to Stories (view on slashdot.org)

National Data Breach Law Advances

Posted by kdawson on from the pre-emption-could-be-bad dept.

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."

7 of 51 comments (clear)

  1. Toothless by guruevi · · Score: 3, Interesting

    The law would be able to benefit us and punish corporate greed and misbehavior when it comes to data protection but thanks to the corporate interests in the pockets of our lawmakers this law has been made ineffective. The law probably doesn't even specify what punishment would be affected and if it does it's probably so small that most corporations would rather pay it than implementing the technology it requires to satisfy the law. It would probably be even harder to find punishments or personal liability of the corporate officers that make decisions around the compliance with the words. And as it advances through several other levels of lawmakers (house, president, back to congress, rewriting, ...) it will probably become even more bland.

    If the law were to affect us, simple peasants and benefit corporate interests when breached, you could bet on it that long prison sentences and fines would be involved with it as is the case with the DMCA, ACTA and general 'intellectual property' laws.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  2. Access Controls by savanik · · Score: 3, Interesting

    Sounds like they're saying that putting a BIOS password on a laptop means they don't have to tell anyone the next time they lose 500 million social security records, huh? Or heck, if BIOS passwords are too difficult, it could always just have user accounts. Those count as "access controls", too.

    Combined with the idea of the government managing our health care, I'm not terribly encouraged by the idea.

  3. Why industry standards? by TubeSteak · · Score: 4, Interesting

    rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard

    Doesn't ISO (International Organization for Standardization) have... standards for these kinds of things?

    Industry standards are the corporate version of "all the other kids are doing it".
    And seriously, I don't think self-regulation (aka industry standards) is going to cut it for data security.

    --
    [Fuck Beta]
    o0t!
  4. Protecting the megacorps by commodore64_love · · Score: 2, Interesting

    That's what this does: "S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms." It's akin to the Audit the Fed bill was rendered harmless by allowing the federal reserve to black-out names of persons/organizations that received money. It's meaningless.

    I honestly don't understand Congresscritters who sell-out like this. Is keeping their job so important that they'd bend to the will of their corporate donaters and ignore their basic "don't be evil" morals?

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  5. Access Controls? by Reason58 · · Score: 2, Interesting

    S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.

    In essence, this means the only companies required to report a data breach are the ones that keep their information in a publicly facing database with no authentication.

  6. Good idea, wrong language by lax-goalie · · Score: 3, Interesting

    "Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.'"

    I think that the whole purpose of this is to cover things like storing passwords, etc., as hashed data. That's something I tried to get into Virginia's data breach law (and will probably give it a shot again this year), but try explaining the concept of "cryptographic hashes" to legislators who are mostly lawyers. Three guys on the subcommittee got it (engineers and tech guys), but it was WAY over everybody else's heads.

    And it's not just the legislators. the LexisNexis lobbyist went ballistic over the idea until she talked to somebody in her IT department, because she didn't understand what was going on.

    I understand what this language is supposed to do, but it's just poorly crafted.

  7. You are missing the point by Anonymous Coward · · Score: 1, Interesting

    The intention isn't to make everything 100% secure at first. That just wouldn't be feasible. The way I see it, this might be very efficient in improving the overall situation over time.

    You can get yourself exempt from a lot of the responsibility by implementing encryption? What kind of a manager would not do their best to achieve that? There needs to be some significant carrot like that to encourage the managers to really want it.

    And as you are going to implement some practices regarding them anyways, you could just as well do it decently (put a bit more money into research, consultants, etc., produce a few whitepapers... Get some manager cred. for a succesful operation.). Not perfectly (money doesn't guarantee quality, as we well know), but enough to improve things from what they were.

    The "widely accepted industry standards" means that the worst companies of the lot don't qualify so this encourages them to improve their standards. When the worst companies always have the interest in improving their standards, it could throw the industry to very slow but steady loop of improving quality.

    Yeah, this isn't a silverbullet that fixes everything. I don't think that there could be anything like that. But this has some serious potential to encourage companies to improve in the area.