Last week, the "Energy and Commerce" Committee of the US House of Representatives approved HR 4127, the "Data Accountability and Trust Act". In case you haven't heard of it, this bill basically does what SB1386 did, but at the federal level rather than at the state level - unless, of course, the data is encrypted. So what does that mean? According to the bill:
ENCRYPTION- The term `encryption' means the protection of data in electronic form in storage or in transit using an encryption algorithm implemented within a validated cryptographic module that has been approved by the National Institute of Standards and Technology or another comparable standards body recognized by the Commission, rendering such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.
Now, that's interesting. I'm reading the line about to "validated cryptographic module... approved by [NIST]..." to mean FIPS 140-2. In the past, I've been hard on FIPS 140 since I think that in some cases a certification requirement can trump common sense. SB-1386 does not specify what, exactly, "encrypted" means, saying disclosure is required only when "...whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person..." The issue, of course, being that "encrypted" (or "unencrypted" for that matter) can mean different things to different people. Somebody could use EFS under Windows 2000, adding absolutely no security to the data on the machine, but yet claim "safe harbor" under 1386. Not so in this new bill. So, kudos to the House for stepping up to the plate and actually putting in some safeguards to make sure that this provision means something.
Of course, given the fact that not a day week goes by where we don't have some new disclosure about stolen PII, I'm not sure that we're going to see anyone using this new and harder to meet safeharbor requirement. But that's another matter.
Posted by Ed at April 3, 2006 12:50 PM