Shostack + Friends Blog Archive

 

2 Proposed Breach Laws move forward

See George Hulme, “National Data Breach Law Steps Closer To Reality” [link to https://www.hitrustcentral.net/blogs/ht/archive/2009/11/06/national-data-breach-law-steps-closer-to-reality.aspx no longer works] and Dennis Fisher “http://threatpost.com/en_us/blogs/two-data-breach-notification-bills-advance-senate-110609.”

Dennis flags this awe-inspiring exception language: “rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.”

Emphasis added where my jaw dropped so fast that the letters are off-kilter.

[Update: Yes, I understand it’s likely an attempt to cover cryptosystems that we think work and are then broken, or some similar situation. However, if your data is encrypted with FEAL, and it turns out FEAL is really weak, should you really get an exception? You ought to be able to say you tried hard, but the data is still at risk. That may impact those who you told “your privacy is important to us.”]