In 2016, Tennessee created something of a legal furor when it became the first state to require data breach notifications (DBN) even if the lost or stolen data was protected with encryption. Earlier this month, a new law took effect that “clarifies [this] confusion” for companies: they are not required to send DBNs if the data was encrypted – assuming that the encryption was not compromised as well. For example, if the encryption key was also breached.
Cognitive Dissonance? Or Merely Not Understanding What Encryption Does?
When Tennessee’s amendment to its breach notification law was passed last year, it came as something of a shock to many. There were many milestones in 2016 – as there are every single year, admittedly – and among them was encryption. Specifically, the strength of encryption: last year was when Apple and the FBI went to court over encryption, due to the latter’s demand that Apple compromise the strength of the cryptographic protections on iPhones. The demand was a result of the FBI’s inability to get into the San Bernardino shooter’s smartphone (as well as others, as it turned out).
The FBI stopped their lawsuit at the last minute, saying that they had found a way into the phone after all; some claimed that the FBI folded strategically, since it looked like Apple would win and create a precedent-setting case.
Despite the lack of a solid conclusion, it was a milestone regardless: the media covered the situation with unprecedented detail; more people than ever tuned in and learned about encryption and its impact in modern society’s digital works; and, perhaps most importantly, politicians who loudly clamored for Apple to bow down to the FBI’s demands started backpedaling after finding out why encryption has to be as strong as it can possibly be.
The case was a culmination of many encryption-related episodes, such as the global adoption of encrypted internet connections by the top social media sites and communications app-makers making changes to software code so even they can’t access a client’s private communications.
So, finding out that Tennessee wouldn’t consider encrypted data to be secured came like a bolt out of the blue. Especially when:
The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies… (bna.com)
Of course, if one thinks about it, this is not necessarily contradictory. A strongbox is also a positive means of protecting data: think of a dossier placed inside a bank vault. If that dossier is stolen, well, it should be a reportable data breach. If the documents are stolen, by definition the protection is gone.
And, because of how encryption works, that’s where this analogy breaks down: if you will, under encryption, the dossier is the bank vault. Heck, each sheet of paper in the dossier can be the bank vault. In other words, if encrypted data is stolen, the thief still has to find a way to break into this particular vault called “encryption.”
Chances are that 99.999% of the time when data is stolen or lost, encrypted content can be accessed only if the thief also has a key (or a password, which is essentially a proxy for the encryption key). Based on this year’s amendment, it looks like Tennessee’s governing body was trying to address this inherent “weakness” in encryption when it passed its law last year: if the thief has a key, he has access.
Perfectly Valid Concern
As any security professional – and now, most lay people in the US – will tell you, encryption is one of the best ways to protect data. It’s not the only way, and it’s not infallible, but it is one of the best. Some may even say it is the best way.
But again, it doesn’t mean it’s not infallible. There are ways to get past encryption:
- Guess the encryption key or the password to the encrypted content.
- Steal the encryption key or the password.
- Physically threaten a person for the encryption key or the password.
- Carry out said threat on a person (but make sure he’s conscious so you can get the key or password once they cry uncle).
- Plant malware on a computer so that you don’t have to do any guessing, stealing, or threatening. Technology at work.
- Do an analysis of the encryption used to see if there are any inherent weaknesses that can be exploited (not for the average person; can be difficult even for government agencies awash with black ops slush funds). Especially if someone leaks said weaknesses on the internet.
As you see, there aren’t too many ways but, with the exception of that last one, it is relatively easy to get past encryption… assuming you can fulfill certain conditions – conditions that are simple but potentially difficult to carry out. (Or, not difficult at all, which is why, when you’re going to fire someone, you should rescind from him access to your company’s resources before letting him know he’s being let go).
Yet, it seems that most data breach notification laws were passed without taking into consideration things like the above. If stolen data was already encrypted, it was given safe harbor from DBNs.
In fact, in certain cases, breached data was given safe harbor from DBNs even if encryption was not used because the law had defined encryption too broadly. So, despite violating the spirit of the law, ROT-13 encryption would have met the conditions for excluding oneself from DBNs. This, despite it not being encryption in any sense of the word.
Tennessee’s foul-up may have caused confusion and consternation for many over the past year, but it should be applauded for what it was: a law that further empowers constituents of that state.
Related Articles and Sites: