[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)

Arshad Noor arshad.noor at strongauth.com
Fri Jun 6 23:13:39 UTC 2008


----- Original Message -----
From: "security curmudgeon" <jericho at attrition.org>
To: dataloss at attrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)


Taking this one step farther, what if the tape *is* encrypted using really 
strong encryption and the tape is lost. Does the company have to warn 
customers?

  Certainly not in California.  The Breach Disclosure law (originally 
  SB-1386) provides a safe-harbor for encrypted data.  Not sure what the 
  other 42 US states do, but they modeled their laws along the lines of
  California's to the best of my knowledge.

If not, will that lead to companies claiming strong encryption 
regardless,....

  This is a weakness in all Breach Disclosure laws.  They do not specify
  the type of encryption.  While I agree that lawmakers are not the most
  qualified people to determine appropriate ciphers, they could have at
  least pointed to NIST standards as the minimum.  That would have given
  us 3DES and AES encryption.  Right now, we have nothing.  Very short-
  sighted.

Arshad Noor
StrongAuth, Inc.



More information about the Dataloss mailing list