New Mexico will be the latest US state to add a data breach notification law to its books. Once the bill officially becomes a law, only two states – Alabama and South Dakota – will remain outsiders to the crazy idea that people should be notified if their personal data is hacked.
You can read the bill in all its glory at this link (it’s a PDF file), but the introduction to it gives you a good idea of what’s up:
RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH
NOTIFICATION ACT; REQUIRING NOTIFICATION TO PERSONS AFFECTED BY
A SECURITY BREACH INVOLVING PERSONAL IDENTIFYING INFORMATION;
REQUIRING SECURE STORAGE AND DISPOSAL OF DATA CONTAINING
PERSONAL IDENTIFYING INFORMATION; REQUIRING NOTIFICATION TO
CONSUMER REPORTING AGENCIES AND THE OFFICE OF THE ATTORNEY
GENERAL; PROVIDING CIVIL PENALTIES; EXEMPTING NEW MEXICO AND
ITS POLITICAL SUBDIVISIONS FROM COMPLIANCE WITH THE DATA BREACH
There is a potential problem, though. One of the definitions (my emphasis for the below) for the purposes of the bill:
“personal identifying information”: (1) means an individual’s first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: [redacted]
In the above, an effort is being made to preclude what is not personal information. For example, your SSN that was encrypted is not personal identifying information, and so its loss would be excluded from the data breach notification requirements.
The problem lies in the passage “otherwise rendered unreadable or unusable,” which could very well work against the spirit of the law. For example, the process of hashing data with a known one-way function renders information unreadable in a very technical sense. However, data transformed in this fashion is not considered secure because extracting usable information can be quite easy.
You’re probably very aware that there have been many data breaches in the last ten years or so. In most cases where stolen passwords were involved, the “security” behind said passwords was a hash – and, with the exception of a handful of instances, security professionals agreed that people needed to change their passwords ASAP, especially if the password was re-used at other sites.
Why? Because hashing, unlike encryption or redaction (read: deleting stuff), can be defeated with enough trial and error. And computers are great at trial and error.
The fact that the controversial passage is attached to the definition of personal identifying information, as opposed to the definition of encryption, doesn’t change the situation because it leads to the same problem: since personal data that is “otherwise…unreadable” is not legally personal identifying information, it can be argued that hashed personal info (just like encrypted personal info) can be excluded from the purview of this law.
At Least They Got Encryption Right
Including self-defeating language like this to the books is disappointing, especially when the drafters of the bill went through the trouble of defining encryption correctly:
“encrypted” means rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security
When data breach notification laws were passed in the past, there were instances where encryption was defined in such a way that equated it with hashing. Doing so is a security faux pas because companies could argue that their hashed data was “encrypted” per the legal definition, and thus be excluded from notifying customers.
It bears repeating, hashing is not considered a proper security mechanism in the event of a data breach – it isn’t “a security technology or methodology generally accepted in the field of information security.”
As time went by and lawmakers gained more experience and knowledge, the law correctly began to reflect what was and wasn’t proper data security.
It looks like we need to do better, however.
Related Articles and Sites: