From: Arshad Noor (arshad.noorstrongauth.com)
Date: Fri Jun 06 2008 - 18:13:39 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "security curmudgeon" <jerichoattrition.org>
To: datalossattrition.org
Sent: Friday, June 6, 2008 1:06:01 PM (GMT-0800) America/Los_Angeles
Subject: Re: [Dataloss] time to name names (was Re: MORE BNY (Mellon Corp) Tapes lost)

Taking this one step farther, what if the tape *is* encrypted using really
strong encryption and the tape is lost. Does the company have to warn
customers?

  Certainly not in California. The Breach Disclosure law (originally
  SB-1386) provides a safe-harbor for encrypted data. Not sure what the
  other 42 US states do, but they modeled their laws along the lines of
  California's to the best of my knowledge.

If not, will that lead to companies claiming strong encryption
regardless,....

  This is a weakness in all Breach Disclosure laws. They do not specify
  the type of encryption. While I agree that lawmakers are not the most
  qualified people to determine appropriate ciphers, they could have at
  least pointed to NIST standards as the minimum. That would have given
  us 3DES and AES encryption. Right now, we have nothing. Very short-
  sighted.

Arshad Noor
StrongAuth, Inc.

_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]