in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

New Mexico Now Has A Data Breach Notification Bill

New Mexico will be the latest US state to add a data breach notification law to its books. Once the bill officially becomes a law, only two states – Alabama and South Dakota – will remain outsiders to the crazy idea that people should be notified if their personal data is hacked.

You can read the bill in all its glory at this link (it's a PDF file), but the introduction to it gives you a good idea of what's up:

RELATING TO CONSUMER PROTECTION; CREATING THE DATA BREACH NOTIFICATION ACT; REQUIRING NOTIFICATION TO PERSONS AFFECTED BY A SECURITY BREACH INVOLVING PERSONAL IDENTIFYING INFORMATION; REQUIRING SECURE STORAGE AND DISPOSAL OF DATA CONTAINING PERSONAL IDENTIFYING INFORMATION; REQUIRING NOTIFICATION TO CONSUMER REPORTING AGENCIES AND THE OFFICE OF THE ATTORNEY GENERAL; PROVIDING CIVIL PENALTIES; EXEMPTING NEW MEXICO AND ITS POLITICAL SUBDIVISIONS FROM COMPLIANCE WITH THE DATA BREACH NOTIFICATION ACT.

Possibly Problematic

There is a potential problem, though. One of the definitions (my emphasis for the below) for the purposes of the bill:
"personal identifying information": (1) means an individual's first name or first initial and last name in combination with one or more of the following data elements that relate to the individual, when the data elements are not protected through encryption or redaction or otherwise rendered unreadable or unusable: [redacted]

In the above, an effort is being made to preclude what is not personal information. For example, your SSN that was encrypted is not personal identifying information, and so its loss would be excluded from the data breach notification requirements.

The problem lies in the passage "otherwise rendered unreadable or unusable," which could very well work against the spirit of the law. For example, the process of hashing data with a known one-way function renders information unreadable in a very technical sense. However, data transformed in this fashion is not considered secure because extracting usable information can be quite easy.

You're probably very aware that there have been many data breaches in the last ten years or so. In most cases where stolen passwords were involved, the "security" behind said passwords was a hash – and, with the exception of a handful of instances, security professionals agreed that people needed to change their passwords ASAP, especially if the password was re-used at other sites.

Why? Because hashing, unlike encryption or redaction (read: deleting stuff), can be defeated with enough trial and error. And computers are great at trial and error.

The fact that the controversial passage is attached to the definition of personal identifying information, as opposed to the definition of encryption, doesn't change the situation because it leads to the same problem: since personal data that is "otherwise…unreadable" is not legally personal identifying information, it can be argued that hashed personal info (just like encrypted personal info) can be excluded from the purview of this law.  

 

At Least They Got Encryption Right

Including self-defeating language like this to the books is disappointing, especially when the drafters of the bill went through the trouble of defining encryption correctly:
"encrypted" means rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security

When data breach notification laws were passed in the past, there were instances where encryption was defined in such a way that equated it with hashing. Doing so is a security faux pas because companies could argue that their hashed data was "encrypted" per the legal definition, and thus be excluded from notifying customers.

It bears repeating, hashing is not considered a proper security mechanism in the event of a data breach – it isn't "a security technology or methodology generally accepted in the field of information security."

As time went by and lawmakers gained more experience and knowledge, the law correctly began to reflect what was and wasn't proper data security.

It looks like we need to do better, however.

 

Related Articles and Sites:
https://www.dataprivacymonitor.com/data-breach-notification-laws/new-mexico-passes-data-breach-notification-and-protection-bill/
https://www.databreaches.net/new-mexico-passes-data-breach-notification-and-protection-bill/

 
<Previous Next>

WikiLeaks Shows That Encryption Works, Even Against Spooks

Israel Introducing Data Breach Notification Law

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.