The state of California is again in the vanguard, releasing a “first report of its kind.” The state Attorney General has released the Golden State’s Data Breach Report 2012, a forty-page document that breaks down and analyzes data breaches that were reported in California in the past year. The importance of using encryption to protect data is highlighted throughout the document, once again emphasizing the importance of data encryption solutions when it comes to data security.
Encryption is a Carrot
One of the most arresting paragraphs in the document is the following:
These breaches are essentially the result of deficient data management policies or practices, in particular, a failure to encrypt sensitive data when it is in transit on portable devices or in emails. In spite of the carrot of the breach notification law’s encryption exemption, organizations are subjecting too many Californians to a risk that is eminently avoidable.
What this essentially tells us is that encryption, at least in the state of California, is viewed as a tried and true method of protecting data. Indeed, the implication is that it’s a way to avoid being investigated by the Attorney General’s office in case a company finds itself in a quandary because it lost a laptop full of personal data.
And why not? Encrypted data, after all, is protected data. Furthermore, there is this to consider:
The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourages our allied law enforcement agencies to similarly prioritize these investigations.
While the AG does not promise (or does it? When an AG words something as an “exemption” to the law, as in “breach notification law’s encryption exemption,” it seems pretty straightforward) that encryption will absolve a company from being investigated, it is promising to investigate instances where it isn’t used. This is only sensible: if, for example, the password to a laptop’s disk encryption is taped to the bottom of the thing, there is no real security in place and the AG should be going after the company that has violated the spirit of the law, as well as violating the trust of its customers.
California AG Unofficially Supports AES Encryption
Also, a surprising turn of events. All the data breach laws and information security regulations I have read so far have been devoid of one thing: which encryption program to use in order to be in compliance with a regulation or the law.
In the US, only the government (non-military agencies) is required to use a particular encryption program: AES, or Advanced Encryption Standard. Commercial entities can use whatever they want, although certain state laws require that the selected solution meet the approval, if you will, of the average security professional. In other words, chances are you can’t use something that was developed by a first year crypto major at whatever university.
But, that still leaves the question of which one? Because there are a lot of options out there. Well, the California AG offers a glimpse into what they would consider a proper, secure encryption program:
We also recommend enacting a law to require the use of encryption to protect personal information on portable devices and media and in email. An appropriate encryption standard might be FIPS 197, the National Institute of Standards and Technology’s standard approved for U.S. Government organizations to protect higher risk information.
If you haven’t gotten the hint from that last part, FIPS 197 is AES.
I don’t know if this recommendation will actually become law. One of the reasons why security professionals are loath to recommend one cryptologic solution over others is that each has its pros and cons. Also, what happens if you encode it into law and six months down the road it turns out to have an irreparable vulnerability? You can change the law, but it usually takes a while. Meanwhile you have to live with a loophole.
But, as a pragmatist, I take the above pronouncement by the AG as an unofficial recommendation for AES, and would recommend any businesses in California to use a solution whose foundation is based on it.
Incidentally, AlertBoot’s managed encryption solutions are AES-256.
Related Articles and Sites: