Breach Bills, and the Role of Encryption
In Grant Gross’s IDG article, “VA Security Breach Bill Criticized by Cybersecurity Group,” [link to http://www2.csoonline.com/blog_view.html?CID=27512 no longer works] CyberSecurity Industry Alliance General Counsel Liz Gasster is quoted extensively:
The Veterans Benefits, Health Care, and Information Technology Act, largely focused on veterans’ health-care programs, includes a section on information security requiring the VA to report data breaches of any “sensitive” personal information, potentially including breaches where only veterans’ names were exposed, said Liz Gasster, general counsel for the Cyber Security Industry Alliance (CSIA), a trade group representing cybersecurity vendors.
The bill, passed by Congress late last week, requires the VA to report breaches of sensitive personal information to Congress and requires VA Secretary R. James Nicholson to create plans for notifying affected veterans, as well as offering credit monitoring and identity theft insurance to affected veterans.
Hey, another law! I’d missed it!
“Essentially, the loss of a list of names on a piece of paper constitutes a data breach under the law, which seems far too broad,” she said. “Clearly, your name is not sensitive personal information.”
Perhaps Congress has figured out that there’s more reasons to know about breaches than identity theft risk. If the VA can’t control data entrusted to it, Congress wants to know, has a right to know, and has a responsibility to know. I’m glad they’re taking interest, and will be able to evaluate the effectiveness of FISMA.
In addition to its potentially broad definition of sensitive personal data, the bill does not exempt the VA from reporting data breaches if the information was encrypted, Gasster said. In supporting a national data breach notification bill, CSIA and other groups have called on Congress to exempt encrypted data from notification rules, saying the exemption would encourage companies and government agencies to encrypt more data.
The lack of an exemption “seems like it deprives the benefit of encryption from the VA,” Gasster said.
This is an odd perspective, perhaps an artifact of the way the conversation is reported. The benefit of encryption is that the data is protected, and the organization that’s encrypted it is protecting those that have entrusted it from privacy infringements. There’s a secondary benefit of not having to report about the breach, but it should be secondary in the minds of civil servants.
Although the bill’s language on personal sensitive information and encrypted data is too broad, in some ways the bill doesn’t do enough to protect consumers, Gasster added. The bill only addresses VA data breaches, not breaches at other government agencies or private companies.
And that really is a shame.
I agree the language is too broad. Just as they don’t need to be reporting the loss of a scrap of paper with a list of names on it (well, maybe they do), the language on encryption seems to indicate that if it is encrypted with ROT13 it is protected.
TRex