[Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
lyger
lyger at attrition.org
Fri Jun 6 23:31:36 UTC 2008
While outdated by a few months and not accounting for recently
added/updated state laws, this document provides a quick overview of which
states provide exemptions for encrypted data:
http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf
On Fri, 6 Jun 2008, Arshad Noor wrote:
": "
": " ----- Original Message -----
": " From: "security curmudgeon" <jericho at attrition.org>
": " To: dataloss at attrition.org
": " Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
": " Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)
": "
": "
": " Taking this one step farther, what if the tape *is* encrypted using really
": " strong encryption and the tape is lost. Does the company have to warn
": " customers?
": "
": " Certainly not in California. The Breach Disclosure law (originally
": " SB-1386) provides a safe-harbor for encrypted data. Not sure what the
": " other 42 US states do, but they modeled their laws along the lines of
": " California's to the best of my knowledge.
": "
": " If not, will that lead to companies claiming strong encryption
": " regardless,....
": "
": " This is a weakness in all Breach Disclosure laws. They do not specify
": " the type of encryption. While I agree that lawmakers are not the most
": " qualified people to determine appropriate ciphers, they could have at
": " least pointed to NIST standards as the minimum. That would have given
": " us 3DES and AES encryption. Right now, we have nothing. Very short-
": " sighted.
": "
": " Arshad Noor
": " StrongAuth, Inc.
More information about the Dataloss
mailing list