Spurred by the ongoing flood of sensitive data breaches this spring, nearly a dozen states may have breach notification laws on their books by summer. In turn, makers of security software and companies in several other industries are pressuring Capitol Hill for a federal law pre-empting the states measures.
In Congress, more than a half-dozen bills requiring a range of data security measures and breach notification rules are pending, and at least two more are slated for introduction in coming months.
These measures—including one under consideration by Rep. Cliff Stearns, R-Fla., and one in the draft stages by Rep. Deborah Pryce, R-Ohio—illustrate one of the most contentious questions in the debate: Should there be a notification exemption for businesses that encrypt their data?
Not surprisingly, industries for the most part are pushing for an encryption exemption to notification, a safe harbor that is included in California SB (Senate Bill) 1386, a notification law that went into effect in July 2003. The growing security software industry, a major ally in this effort, is trying to convince lawmakers that when encrypted data is stolen, the theft poses no meaningful harm to consumers.
"If the data is encrypted, its gibberish. They dont know what it is. They cant use it," said Dan Burton, vice president of government affairs for Entrust Inc.
Some data security experts contend, however, that an encryption safe harbor could reduce data holders incentives to implement strong protective measures in the first place. Criticizing the California notification law, Bruce Schneier, chief technology officer at Counterpane Internet Security Inc., of Mountain View, Calif., said it lets data holders bypass disclosure without necessarily protecting the data.
"You can encrypt the data with a trivial algorithm and get around [the law]," Schneier said. "If you can get around a law by doing something stupid, its a badly written law."
Entrust supports an encryption exemption to notification but not without other security requirements, said Chris Voice, CTO at the Addison, Texas, company. "Like any technological approach, its going to require more than just encrypting the data," Voice said. "I think security controls will have to be in place regardless."
Even strong encryption theoretically can be broken, but it requires resources and effort that thieves are highly unlikely to expend, advocates of the safe harbor argue.
That argument does not appease consumer representatives. "We may not be comfortable having our information out there, even in gibberish format," said Susanna Montezemolo, policy analyst at the Consumers Union, in Washington. "Encryption shouldnt be the issue. We shouldnt have to define potential harm and risk."
Acknowledging the political influence of the industries lobbying for the safe harbor, however, Montezemolo said that a breach notification law with a safe harbor is better than no law at all but that the safe harbor must be narrowly tailored so as not to be an excuse for shoddy security.