The stars aligned today to alert me to the fact that the US’s favorite Austrian import, Arnold Schwarzenegger, is not governor anymore (in fact, he’s been retired from public office since early this month). First, there was the morning “news” where the Governator was announcing his return to Hollywood. Second was an RSS feed that I read that stated Rep. Joe Simitian would re-introduce a bill that had been vetoed by Schwarzenegger.
California’s breakthrough data breach notification bill, now emulated by at least 40 states and by governments the world over, required that people whose personal data was breached be notified. Companies that used personal information encryption got a reprieve from making the embarrassing (and, potentially, financially detrimental) announcement.
This is due to the near impossibility for strong encryption like AES-256 (which powers AlertBoot endpoint security software) to be breached. Short of correctly guessing the password, the thief would have a better chance of making the NBA than of breaking into an encrypted file.
The Next Logical Step
Breach notifications have helped more than they have harmed, but eight years into the law, it’s quite apparent that there are shortcomings to the law. For example, certain states have copied California’s law onto their books and also added the caveat that the password for accessing the encrypted data must not be available the thief.
Others have added that breaches occurring due to stolen paperwork must also be made public, while others have extended the requirement for encryption to wireless data as well.
But what most haven’t done is update their laws regarding the breach notifications themselves. In fact, most states don’t have any rules addressing what’s supposed to be included in the notification letters. This has brought its own set of abuses, with certain companies not mentioning how or when a data breach occurred, or even what type of data was lost.
Rep. Simitian’s bill, which I covered earlier, would stop such a practice by making certain information obligatory in the notification letters.
I think it’s a great idea. The point behind the notification letters is to alert consumers so they can act. Deprive them of useful data and you compromise the effectiveness of these letters.
Related Articles and Sites: