Data Security for Payment Card & Social Security Numbers?
Bills pending in the Michigan and Washington state legislatures would mandate that personal information stored in business computers be “encrypted.” Legislatures are unwise to engage in such micro-management.
Distinguish Goals from Technologies for Reaching Goals
When a legislature specifies a technology like "encryption," it goes beyond stating a goal and requiring that the goal be met. The legislature selects the precise technical means for reaching the goal. In other words, when a legislature dictates technical measures like "encryption," it assumes the role of a professional engineer. But state legislatures are not qualified to provide professional engineering services!
Encryption is a powerful data security tool. But it is not necessarily always the best way to achieve a data security goal. The successful implementation of encryption in a specific setting involves many issues and tradeoffs.
For example, a panel of security experts recently pointed out that the encryption of data in storage (as opposed to data in transit) raises vexing questions about the key infrastructure that underpins the encryption. When an enterprise encrypts lots of its stored data, a hacker has incentive to attack the encryption scheme's key infrastructure. If the hacker can defeat the key infrastructure, she can deny the enterprise access to its data. That means the hacker can put the enterprise out of business, or blackmail the enterprise. Thus, the indiscriminate use of encryption may increase the overall social risk associated with stored private data.
The lesson is: Data security is a complex field of engineering. State legislatures should steer clear of it.
Utah Law Is Model for Bad Legislation
In 1995 the Utah legislature adopted pioneering legislation to stimulate growth of public key infrastructure (PKI). The legislature received lots of detailed advice from experts. The legislature crafted legislation that was very technically specific. At the time, and for several years thereafter, some experts hailed the Utah legislation as a model and as a great catalyst for e-commerce. However, it is safe to say today that the Utah Digital Signature Act was an absolute bust. It achieved none of its goals. It was far too technically specific to be of any value to industry.
The Michigan and Washington legislatures should remember the Utah experience as they draft legislation. A wise legislature might require, for example, that businesses use "reasonable security procedures" (a general goal) rather than that they use "encryption" (a specific technology).
Update: Here's a simple example of why legislatures have no business legislating words like "encryption." In Indiana newly-enacted House Bill (HB) 1197 (aka Public Law 136) tries to define "Breach of the security of a system". One of the ways HB 1197 achieves its definition is by telling us what a breach of security is not. It says security has not been breached if data have been encrypted and the "encryption key" has not been compromised. Hmmm. Doesn't that sorta make sense? . . . But wait. Does it always make sense? What about a public key cryptosystem? Public key cryptosystems can be used effectively to encrypt data and keep it private. Sometimes in a public key system, it is not the protection of the encryption key that protects data privacy. Sometimes it is protection of the decryption key that protects privacy! For purposes of certain legitimate applications of a public key cryptosystem, the drafter of HB 1197 seems to have missed the boat completely.
--By Benjamin Wright
Attorney Wright teaches the law of data security and investigations at the SANS Institute.
Update: See my analysis of a breach notification where data on a stolen laptop are encrypted.
Related: Data breach investigation -- legal expectations.
[Footnote: In this post I mentioned the laws (or proposed laws) of some states. Please understand that when I blog about the law of a state like Indiana, I have not necessarily researched all the relevant regulations and rulings in that state. And whatever I say here could easily be out of date. So if you need a reliable legal opinion about the law of any state, you need to go some place else to get it. Also, the fact that this post does not mention any other state -- Florida, California, New Jersey, Illinois, Missouri, whatever -- means nothing. Other states may have encryption laws that I've not mentioned.]