[17335] in cryptography@c2.net mail archive
Re: [Clips] Storm Brews Over Encryption 'Safe Harbor' in Data Breach
daemon@ATHENA.MIT.EDU (Thierry Moreau)
Fri Jun 3 07:08:11 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 03 Jun 2005 00:12:31 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
To: "R.A. Hettinga" <rah@shipwright.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <p06230527bec5002d588d@[68.167.57.91]>
Posted on cryptography@metzdowd.com:
> <http://www.eweek.com/print_article2/0,2533,a=153008,00.asp>
>
> EWeek
>
>
> Storm Brews Over Encryption 'Safe Harbor' in Data Breach Bills
> May 31, 2005
> By Caron Carlson
>
> Spurred by the ongoing flood of sensitive data breaches this spring, nearly
> a dozen states may have breach notification laws on their books by summer.
> In turn, makers of security software and companies in several other
> industries are pressuring Capitol Hill for a federal law pre-empting the
> states' measures.
>
> In Congress, more than a half-dozen bills requiring a range of data
> security measures and breach notification rules are pending, and at least
> two more are slated for introduction in coming months.
>
Here is a suggestion for an encrypted data exception based on reasonable
key management principles:
--------------------
Sec xyz) The [breach notification requirement set forth in section ...]
does not apply to [breached data portions] for which the following
conditions are demonstrably met:
a) the [breached data portion] is in an encrypted form using an
encryption algorithm and an encryption key that can be shown to be
[resistant / comptatible or equivalent to NIST recommended practice for
encrypting classified data],
b) the said encryption key has always been under the sole control of the
[data originator],
c) the [data originator] is in a position to retire every copy of the
said encryption key from operations, and
d) the [data originator] takes all resaonable steps to so retire every
copy of the said encryption key from operations as soon as the [data
breach event] is known to [the data originator], and completes such
retirement within [a delay e.g. the same delay as for notification].
The evidence that conditions a) to d) are met shall be [kept for auditor
review / filed with an incident report otherwise mandated]
--------------------
Is that actually a reasonable key management principle?
Is it possible the the US law-makers adopt such sensible approaches?
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada H2M 2A1
Tel.: (514)385-5691
Fax: (514)385-5900
web site: http://www.connotech.com
e-mail: thierry.moreau@connotech.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
