Ben Halpert / July 2007
Mobile Enterprise

Privacy breach notification laws have been enacted by most states. But while the legislation has consumer rights in mind, the content of the laws could be much improved. As currently written, as long as organizations encrypt personal information, they don’t need to disclose that the hard drive, mobile device, storage media, etc., has been potentially compromised. While the intention is sound, the requirement is flawed.

Basically, cryptography is the process of converting information into an incomprehensible (encrypted) form that can only be understood (decrypted) by an intended recipient. To encrypt or decrypt information you must use an

algorithm in conjunction with a key. The algorithm is the mathematical basis that converts the information for the encryption or decryption process; a key is used with the algorithm to accomplish the encryption and decryption functions. In practical terms, if you know the key—the password—you can access the data.

While the legislation focuses on “unencrypted personal information,” it neglects to mention the strength of the key. Don’t get me wrong, we need the legislation; it just needs to focus on the right aspects. If you use a trustworthy algorithm, which AES (Advanced Encryption Standard) is considered to be, but a password of 123456 to protect the information, you neglect the algorithm’s purpose. Encrypting the information in this case provides no protection.

In the previous scenario, an organization would not have to report a potential compromise of consumer

personal information according to current legislation. The organization is in compliance with the legislation, even though the consumer’s personal information is not protected as they are led to believe. The issue we face is that though the legislation has the right intent, the actual written requirements are flawed.

What should the legislation say? How about, “Organizations must apply due care and due diligence to the protection of personal information by implementing appropriate security controls as recommended by a cognizant information security professional.” Some such wording would allow appropriately trained individuals to secure personal information. What constitutes a cognizant information security professional, however, is a subject for another discussion.

Return to Publications >