New York Attorney General Eric T. Schneiderman announced last week that he will be pursuing updates to the state’s data security laws. Among the proposals are changes to the legal definition of “personal information”; introducing safe harbor for companies that meet security standards; and encouraging the sharing of forensic data. It sounds as if security software like AlertBoot’s cloud-managed laptop encryption services will be even more important in the future.
Encryption Provides Safe Harbor
When I started to look into the new proposal, I specifically looked for language on whether the use of encryption software would provide safe harbor to organizations experiencing a data breach. Going as far back as 2003, when California became the first state to enforce a breach notification law, the use of encryption provided companies with protection if they lost a laptop or had their computers stolen during a break-in.
New York did not provide such safe harbor as of 2007. At least, not that I can recall. I remember thinking it was odd, seeing how the finance sector in the so-called “finance capital of the world” has been making use of computer encryption since at least the mid 1990s. Its constituents would have appreciated the immunity without a doubt.
I found out, however, that the use of encryption as safe harbor was already in the books:
§ 208. Notification; person without valid authorization has acquired private information. 1. As used in this section, the following terms shall have the following meanings:
(a) “Private information” shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
Not only is it in the books, it’s actually a good one. One of the earliest criticisms regarding encryption as safe harbor was that provisions were lacking for instances where the encryption key or password was compromised. Obviously, the use of encryption doesn’t provide any security under such a scenario, and the laws ought to reflect that (as is the case for New York).
The new proposals look to augment on this, apparently. Using “reasonable” security measures (administrative, technical, and physical safeguards) will be required.
Giving Organizations a Reason to Comply
In addition to passing legal requirements, organizations will be incentivized to implement data security solutions. It looks to be a little complicated, though:
…. offer a safe harbor if a company adopts a heightened form of security. To comply… the entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.
Giving Reasons to Share
Last but not least, the law would provide incentives so that organizations affected by a data breach will go to the authorities, as opposed to keeping a lid on the situation. It is quite the perceptive rule, that one.