California was the first state in the US to pass a data breach notification law, all the way back in 2003. In the intervening fifteen years, all states have passed similar laws. The federal government has repeatedly attempted to pass one as well, so far without success. The need for federal legislation, one that would replace the current mishmash of 50 laws – which are similar but not identical to each other, a source of confusion for companies looking to follow the law when it comes to data breaches – is more necessary than ever.
While we wait for such a law to materialize, California is expanding the protections afforded by the one that started it all. About a week ago, the Eureka state proposed California bill AB 1130, which would add biometric and other data to the definition of “personal information.” By doing so, such data would fall under the auspices of the current data breach notification law.
As of today, the following are defined as personal information for data breach notification purposes under California law:
- The person’s Social Security number.
- A driver’s license or California identification card number.
- The person’s medical information or health insurance information.
- A person’s account, credit card number, or debit card number, In combination with that account security code, password or access code, such that unauthorized access to these accounts could be achieved.
- Information collected through an automated license recognition system. (That is, data obtained via license plate scanners).
When AB 1130 passes, the list will include biometric data as well as passport and government identification numbers. The need to include these became evident when data breaches last year revealed such information to be at risk as well.
And that’s well and good. But is this the right way to approach things? It’s not unrealistic to assume that, as time goes by, the definition of personal information may need to expand, not only because new types of personal information are created (biometrics, for example, were not invented as we understand them until the mid-1990s) but also because new methods of abusing pre-existing types of personal data are developed, ones that don’t fall under the legal definition. For example, who could have foreseen the abuse SSNs by filing fake tax returns when the internet went “public” at the end of the last century?
And, government being what it is, it will always be one step behind the people who dream up these abuses. Essentially, legislation will always play catch up. But, it doesn’t need to be this way.
Encryption Is What the Pros Say It Is
Take a look at how California defines encryption for data breach notification purposes:
“encrypted” means rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.
Notice how odd the emphasized part sounds. Encryption is defined this way because of the shifting nature of encryption. At a technical level, there is a very specific but broad way to define what encryption is; and that definition even applies to what was used two millennia ago. For example, the Caesar cipher, named after the Roman namesake.
However, the Caesar cipher is no longer a valid form of encryption because it is too easily cracked. So, while it technically adheres to what encryption is, professionals in the information security field wouldn’t use it. Indeed, they would counsel against using it. But again, it is encryption. So, without the emphasized portion in the definition above, companies could comply with the law using encryption that is invalid or outdated or useless. (Why would companies do this? Because it would be cheap. Probably free).
Of course, one could create a superior definition for encryption by adding technical jargon. But again, there’s that shifting aspect to encryption. Codify technical specifics into law today and they could be invalid the day after. You would potentially run into the problem of having to update the law each time some vulnerability is uncovered.
Thus, the law, in order not to be updated constantly, and to ensure that it meets its true objectives, had to be defined in a way so that it would reflect what strong, valid encryption is. And, surprisingly for a field that is mostly mathematics, that definition lies in what most professionals in the field agree it is (and is not), a seemingly arbitrary and subjective way of defining it… but one that works.
Likewise, the definition of “personal information” may need to include similar fuzzy logic to it, in the interest of minimizing whatever loopholes may spring up in the future.
There are downsides to this, obviously, but one upside is that it would force companies to really consider what they are doing: Many point out that the current data security environment (which, to be completely frank, is quite lacking. Obviously) is partly due to the checklist approach: if you check off an item on the legal requirements, you’re golden.
But not really. As subsequent data breaches have attested to date.
Related Articles and Sites: