Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government Security Encryption Your Rights Online

National Data Breach Law Advances 51

Trailrunner7 writes "Two separate bills that would require organizations to notify consumers when their personal information has been compromised have made their way out of committee in the Senate, a critical step toward the creation of a national data-breach notification bill. But the Data Breach Notification Act, S.139, exempts federal agencies and other organizations subject to the bill from disclosing a breach if the data involved in the breach was encrypted. This is a clause that has caused some controversy, as some experts say that simply encrypting data does not render it useless. Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.' That is a very broad exemption that could become a sticking point as the bill moves along. The terms 'access controls' and 'other such mechanisms' encompass a huge number of technologies."
This discussion has been archived. No new comments can be posted.

National Data Breach Law Advances

Comments Filter:
  • Toothless (Score:3, Interesting)

    by guruevi ( 827432 ) on Friday November 06, 2009 @01:22PM (#30007594)

    The law would be able to benefit us and punish corporate greed and misbehavior when it comes to data protection but thanks to the corporate interests in the pockets of our lawmakers this law has been made ineffective. The law probably doesn't even specify what punishment would be affected and if it does it's probably so small that most corporations would rather pay it than implementing the technology it requires to satisfy the law. It would probably be even harder to find punishments or personal liability of the corporate officers that make decisions around the compliance with the words. And as it advances through several other levels of lawmakers (house, president, back to congress, rewriting, ...) it will probably become even more bland.

    If the law were to affect us, simple peasants and benefit corporate interests when breached, you could bet on it that long prison sentences and fines would be involved with it as is the case with the DMCA, ACTA and general 'intellectual property' laws.

  • by Penguinisto ( 415985 ) on Friday November 06, 2009 @01:22PM (#30007606) Journal

    "I'm sorry, but we cannot disclose such an event because the data was indeed encrypted... in our new and highly-advanced ROT-0 encryption algorithm."

    • I can see the informercial now.

      "Everyone knows our competitors' ROT-0 encryption is easy to break. It's got a 0 in it so it must be useless garbage. If you want heavy-duty encryption at an affordable cost, use our SIX-round ROT-13 encryption system that's guaranteed to keep your data safe or your money back(*). Call now and we'll upgrade you to our professional heavy-duty first-class TWELVE ROUND ROT-13 system for only $5 more! That's double the rounds, so it's got to be better, right?"


      [in 2-point
      • by Belial6 ( 794905 )
        "Everyone know that ROT-13 used by our competitors has been thoroughly broken by the international teams of pirates and thus leaves your children in grave danger from the internet pedophiles. For truly safe encryption use our patented SIX-round ROT-26. That is over twice the protection of our competitors lowly ROT-13. Included in all of our products is our new patented Zero Overhead Decryption. ZOD decryption method dramatically improves read times over the out dated ROT-13 decryption.

        And for a limit
        • Bah. You people with your ROT-13's and your ROT-26's. I use ROT-676. Yes, that's ROT 26 SQUARED. And I'm finishing up plans to upgrade to ROT-26-To-The-26th-Power. Let's see you crack that!

          • by Belial6 ( 794905 )
            You obviously did not read the patent very closely. Our PATANT on ROT-26 includes all derivative works which specifically includes ROT encryption multiples of 26. So, your ROT-676 is a clear THEFT of our valuable intellectual property. I certainly hope that during your THEFT of our invention you did not also attempt to STEAL our ZOD (Zero Overhead Decryption) technology as our company has spent millions of dollars developing the intellectual property that allows us to decrypt ROT-26 as well as all derivi
    • by Anonymous Coward

      The intention isn't to make everything 100% secure at first. That just wouldn't be feasible. The way I see it, this might be very efficient in improving the overall situation over time.

      You can get yourself exempt from a lot of the responsibility by implementing encryption? What kind of a manager would not do their best to achieve that? There needs to be some significant carrot like that to encourage the managers to really want it.

      And as you are going to implement some practices regarding them anyways, you c

      • The intention isn't to make everything 100% secure at first.

        The intent of the law isn't to improve security at all. The law is supposed to force companies to notify the people that might be affected when a data breach occurs, so that the people whose data was lost can take appropriate action, such as contacting their credit card company that their card number has been stolen. No security system is perfect, so there needs to be a requirement that people are notified when their data is stolen, no matter how much security was in place.

      • Sure there is. It's made up of three words that anyone in the corporate working world can understand.

        "Corporate Death Penalty"

    • Don't make me drug you and beat you with a wrench!

  • Access Controls (Score:3, Interesting)

    by savanik ( 1090193 ) on Friday November 06, 2009 @01:24PM (#30007614)

    Sounds like they're saying that putting a BIOS password on a laptop means they don't have to tell anyone the next time they lose 500 million social security records, huh? Or heck, if BIOS passwords are too difficult, it could always just have user accounts. Those count as "access controls", too.

    Combined with the idea of the government managing our health care, I'm not terribly encouraged by the idea.

    • Considering that the theft of credit card information that happened to TJ Maxx and other stores was done while the data was protected by Access Control Lists, I'm not sure this bill is worth the paper it is printed on. Does my Windows Logon constitute reasonable and industry-standard Access Control? Does it count if my keyphrase to my encrypted volume is "password", "god" or "John"?

      The point of industry-standard security in most cases is just to make sure no one can just drive-by and clean everything out. I

    • Combined with the idea of the government managing our health care, I'm not terribly encouraged by the idea.

      You mean other than private companies, whose sole reason of existence is to make as much money off you while giving you as little as possible? Either legal or trough bribery. Who literally will throw you out of the hospital with broken ribs, to die on the street. (Yes, I've seen that happen.) And who are in no way related to your actual health?

      Yeah, I really hope you can keep those companies. Then I don't have to strangle you with my bare hands for being such an unbelievable retard, but can just let the HMO

  • by TubeSteak ( 669689 ) on Friday November 06, 2009 @01:31PM (#30007690) Journal

    rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard

    Doesn't ISO (International Organization for Standardization) have... standards for these kinds of things?

    Industry standards are the corporate version of "all the other kids are doing it".
    And seriously, I don't think self-regulation (aka industry standards) is going to cut it for data security.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Especially when security is a measure of current technology. Encryption levels that today render data "undecipherable" will not remain constant over time. Look at how many techniques have been rendered useless over time. Even high bit level means little because of possible flaws in technique, not even mention the possibility of simply storing data and waiting for quantum computing to become commercial.

  • by commodore64_love ( 1445365 ) on Friday November 06, 2009 @01:31PM (#30007694) Journal

    That's what this does: "S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms." It's akin to the Audit the Fed bill was rendered harmless by allowing the federal reserve to black-out names of persons/organizations that received money. It's meaningless.

    I honestly don't understand Congresscritters who sell-out like this. Is keeping their job so important that they'd bend to the will of their corporate donaters and ignore their basic "don't be evil" morals?

    • I honestly don't understand Congresscritters who sell-out like this. Is keeping their job so important that they'd bend to the will of their corporate donaters and ignore their basic "don't be evil" morals?

      Congresscritters have "don't be evil" morals?

      I thought you pretty much to have "be evil" morals to get to Congress.

  • now all the stupid spammers have to do is flash their 12 for a dollar gov't I.D.'s and they're home free.
  • Access Controls? (Score:3, Interesting)

    by Reason58 ( 775044 ) on Friday November 06, 2009 @01:37PM (#30007758)

    S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.

    In essence, this means the only companies required to report a data breach are the ones that keep their information in a publicly facing database with no authentication.

  • that are widely accepted as an effective industry practice

    Windows is "widely accepted as an effective industry practice"; that doesn't make it so. Most people are not very good at security and will "accept" stupid practices.

  • by Mr_Blank ( 172031 ) on Friday November 06, 2009 @01:39PM (#30007784) Journal

    I am not sure the proposed law does much if redaction is all it takes to get a pass. From Law.com:

    Electronic Redaction Doesn't Always Hide What It's Supposed to Hide
    Paralegals need to know how to keep information confidential

    Dana J. Lesemann. The Recorder. May 05, 2006

    With the issue of intentional government leaks of classified information frequently in the news, the problem of unintentional leaks of classified and sensitive information is frequently overlooked. The examples are numerous and startling.

    Last year, U.S. military commanders in Iraq released a long-awaited report of the American investigation into the fatal shooting of an Italian agent escorting a freed hostage through a security checkpoint. In order to give the classified report the widest possible distribution, officials posted the document on the military's "Multinational Force-Iraq" Web site in Adobe's portable document format, or PDF. The report was heavily redacted, with sections obscured by black boxes.

    Within hours, however, readers in the blogosphere had discovered that the classified information would appear if the text was copied and pasted into Microsoft Word or any other word-processing program. Stars and Stripes, the Department of Defense newspaper, noted that the classified sections of the report covered "the securing of checkpoints, as well as specifics concerning how soldiers manned the checkpoint where the Italian intelligence officer was killed. In the past, Pentagon officials have repeatedly refused to discuss such details, citing security concerns." Soon after, the report was removed from the Web site.

    Copies of the improperly redacted report, however, live on. We at the consulting firm of Stroz Friedberg, too, were able to remove the redaction and save the clear text in a Word document. Forensic examiners in our office found that the document had been produced directly from Microsoft Word using Adobe Acrobat 6.0's PDFMaker. The redacted text simply had been highlighted in black. As a result, to reveal the classified information, the steps are simple: Highlight the text with the "select text" button on the PDF toolbar, copy the text by typing "control C," open a new document in a word-processing program and paste the text into the new document.

    Read more... [law.com]

    • by Slur ( 61510 )
      Thanks for the citation. That's what I was going to say: What standards for redaction are there, exactly? It seems to me like there are probably thousands of "redacted" documents just like the ones you cite.
  • by lax-goalie ( 730970 ) on Friday November 06, 2009 @01:55PM (#30007932)

    "Also, S.139 would grant an exemption for data that 'was rendered indecipherable through the use of best practices or methods, such as redaction, access controls, or other such mechanisms, that are widely accepted as an effective industry practice, or an effective industry standard.'"

    I think that the whole purpose of this is to cover things like storing passwords, etc., as hashed data. That's something I tried to get into Virginia's data breach law (and will probably give it a shot again this year), but try explaining the concept of "cryptographic hashes" to legislators who are mostly lawyers. Three guys on the subcommittee got it (engineers and tech guys), but it was WAY over everybody else's heads.

    And it's not just the legislators. the LexisNexis lobbyist went ballistic over the idea until she talked to somebody in her IT department, because she didn't understand what was going on.

    I understand what this language is supposed to do, but it's just poorly crafted.

  • I for one welcome our ROT13 encoding overlords.

  • by mlts ( 1038732 ) * on Friday November 06, 2009 @02:01PM (#30007984)

    Encryption is not a cure all for security needs. It is merely a tool, similar to locks on the door, guards with M16s, and CCTV cameras. Poorly implemented, it could mean little to a clued attacker, and businesses need to realize that the clued attackers are far more common that they think.

    One example: Say someone uses the hardware encryption on a tape drive. Tape drives can have encryption set in multiple ways. It can be manually set for all tapes, or the backup application can manage keys and set the encryption pet tape. If an organization is slipshod about the way they use the encryption and use one key for all tapes, and have that key information written on the proverbial slip of paper on the monitor, then an attacker can grab the tapes, perhaps grab a tape drive or buy one, and decrypt the info to their hearts content. Compare this to an organization which uses more stringent backup procedures so that even if a tape is stolen by an insider, it won't be decodable.

    Another example: BitLocker. If implemented right, BitLocker is solid against most known threats (avenues like rubber hoses and RAM scanning via IEEE1394 are different). However, if someone installs BitLocker and then disables all key protectors, to a competant attacker, the BitLocker protection is dealt with. Same with people using BitLocker on machines without TPMs using USB flash drives, and not making sure the flash drive is stored securely.

    There are various implementions of encryption. ECB is a bad version (because an attacker can figure out what a block matches to). A good implementation might use multiple diffusers and an algorithm like XTS so an attacker can't compare sector 55 with sector 157 and determine if the contents are similar. So, even though a program might use AES, if salts and other crypto concepts are not used, it severely weakens security.

    Finally, TrueCrypt. If someone thinks that TrueCrypt fixes all their security issues and doesn't concern themselves with attacks over the wire, an attacker can either slap a keylogger on a machine, or just read the volume decryption keys from memory, then at a later date grab the disks if there is too much data to fetch from remote. If TrueCrypt is used with proper protection against network attacks (firewall, etc.) then it provides excellent protection.

    I am concerned that a law exempting breaches from being disclosed would only work in the blackhat's favor. In theory, someone could rot13 the data on the drive, or AES it with an all zero key to make the security that comes with encryption meaningless.

    • Law is best if it is technology wordiness agnostic. If it is tied to a specific vendor or method as soon as its law that vendor goes casters up or method is cracked. Then the law has to be changed by due process.

      It would be best to point the Law to a having a working "policy" document such as something in the NIST 800 series. Each company or government agency could then determine and publish the exact level of security they want but no less than a minimum. Not everything should be .mil hard encryption but d

      • by mlts ( 1038732 ) *

        Key escrow is a bad concept in general. Even for a medium sized business, it takes some planning headaches, especially if people factor in having access by multiple employees in case one of them dies, goes rogue, or just quits and refuses to divulge the keys.

        The biggest problem with key escrow is the "all eggs in one basket" issue. The more keys stored in a certain location, the more high value the target becomes. After a certain threshold with a large amount of corporate keys stored, it becomes economic

  • "Sure, Ryan and his boys can make it hack-proof. But that don't mean we ain't gonna hack it."

  • Root cause analysis (Score:4, Informative)

    by iztehsux ( 1339985 ) on Friday November 06, 2009 @02:13PM (#30008140)
    You'd think that large corporations would already have incentive to secure their data, aside from being required to do so. I would imagine that the cost of taking some basic measures to up your game would be much cheaper than paying out large sums of money in lawsuits to people who had their credentials compromised. Simple things like full drive crypto on laptops, or sanitizing database inputs to prevent SQL injection are not difficult to do, yet would prevent against a laptop theft from a car or someone dumping your entire database. Cryptography is good, but not invincible. Motivated attackers can use distributed cracking tools, rainbow tables, or merely exploit a weak avenue and wait for password re-use. I'd like to see requirements for companies notifying individuals if there has been a breach, but I'd also prefer that simple security measures were put in place so that disclosure laws didn't need to be invoked very often.
  • by Anonymous Coward

    A few years ago, at one of the last National Information Security Systems Conference meetings, one of the speakers noted that for 30+ years, people had been trying to make multilevel secure databases, with lots of very clever methods tried.
    All these efforts failed.
    It was found that you could keep all those secrets securely, but performance in retrieving any of them went off a cliff. If you wanted good performance, there were always open channels.
    The relevance is that Nature may be trying to tell us here tha

  • Why is the default for filesystems to be unencrypted?

    Why is the default for email unencrypted?

    In fact, in any current OS, Windows/Linux/OSX, I have to go out of my way to add encryption to either my data or my email. And if I do encrypt my email, I will just get blank stares from the recipients, because their client will not have a clue.

  • I'm sure someone will correct me if I'm wrong, but according to the DMCA, bitswapping is considered as encryption. (Remember dvd encryption, and how it only took those guys mere minutes to brute force against it? That made me want to laugh myself to death.) What's to prevent the health care industry from doing the minimum encryption possible? Most corporations are mostly interested in the bottom line, which means the minimum dollar amount required to achieve the minimum compliance level necessary to cover
  • The company should be allowed to explain what type of encryption the data was protected with when informing customers of the breach

    But should not be relieved of the notification. Mere data encryption does not assure the info has not been exposed and won't be, based on the breach.

  • ... our National Data wouldn't be walking around without pants.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...