[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
Arshad Noor
arshad.noor at strongauth.com
Fri Jun 6 23:13:39 UTC 2008
----- Original Message -----
From: "security curmudgeon" <jericho at attrition.org>
To: dataloss at attrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
Taking this one step farther, what if the tape *is* encrypted using really
strong encryption and the tape is lost. Does the company have to warn
customers?
Certainly not in California. The Breach Disclosure law (originally
SB-1386) provides a safe-harbor for encrypted data. Not sure what the
other 42 US states do, but they modeled their laws along the lines of
California's to the best of my knowledge.
If not, will that lead to companies claiming strong encryption
regardless,....
This is a weakness in all Breach Disclosure laws. They do not specify
the type of encryption. While I agree that lawmakers are not the most
qualified people to determine appropriate ciphers, they could have at
least pointed to NIST standards as the minimum. That would have given
us 3DES and AES encryption. Right now, we have nothing. Very short-
sighted.
Arshad Noor
StrongAuth, Inc.
More information about the Dataloss
mailing list