In the aftermath of Choicepoint and several other high profile incidents, where customer information was compromised, the US Congress issued some strong statements and passes a series of bills aimed at strict disclosures. In short, no more are disclosures going to be voluntary and part of good governance and transparency - they’re going to be necessary and required by law.

Nothing has yet emerged from all this, but the consensus is that there will be Federal legislation in place which will provide at least a universal approach towards disclosures. Most of the states (at last count, there were 13 states which had moved to enact laws on data protection and privacy) have taken the California SB1386 law as the baseline, but some like NY have taken it further - in an attempt to show business that they are serious about forcing companies to implement adequate safeguards which go beyond a simple firewall and intrusion prvention system. In NY, the smallest breach now needs to be reported to an industry watchdog - and this covers encrypted and unencrypted data in any form which is not or cannot be accounted for.

While on the topic of encryption, the National Institute for Standards and Technology (NIST) in the US advocates 256-bit data encryption, which by their reckoning is commercially unviable to break and compromise.

However, this author believes that no matter what the level of encryption, there will always remain the possibility that the encryption key is stolen. This is a very likely scenario in the case of internal breaches where an employee runs off with copied data and then unencrypts it using a stolen key.

Which again raises the issue of how do we protect keys - do we buy expensive devices like Hardware Key Managers? Its a process which can go on and on, with no real end in sight.

Meanwhile, the debate in the US rages on about what regulations and compliance requirements businesses should be subject to, whenever they are ‘handling’ customer information.

There is an interesting article on CSO Online which summarizes these points.

http://www2.csoonline.com/blog_view.html?CID=14426

Post your comments or write to me at rdutta@mielesecurity.com

Cheers

Rion