Encryption safe harbours and data breach notification laws

Computer Law and Security Review

Volumn 26, Issue 5, 2010, Pages 520-534

  Burdon, Mark ^a   Reid, Jason ^a   Low, Rouhshi ^a  

^a QUEENSLAND UNIVERSITY OF TECHNOLOGY   (Australia)

Author keywords

Data breach notification; Data protection; Encryption; Information security management

Indexed keywords

DATA BREACHES; DATA PROTECTION; ENCRYPTION; INFORMATION SECURITY MANAGEMENTS; PERSONAL DATA; PERSONAL INFORMATION; REGULATORY AUTHORITIES; REGULATORY FRAMEWORKS; RISK-BASED;

INDUSTRIAL MANAGEMENT; LAWS AND LEGISLATION; NETWORK SECURITY;

CRYPTOGRAPHY;

EID: 77957931499     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2010.07.002     Document Type: Article

References (132)

1. It should also be noted that other common and broad safe harbours exist particularly in relation to good faith use by employees and to acquired information that is already in the public domain.
2. Notification fatigue refers to the negative impact of over-notification upon individuals and potentially the overall impact of data breach notification laws. See e.g. A Cavoukian, A Discussion Paper on Privacy Externalities, Security Breach Notification and the Role of Independent Oversight (2009) http://www.ipc.on.ca/images/Resources/privacy-externalities.pdf; at 19 March 2010, 9 and PM Schwartz and EJ Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913, 916.
3. See e.g. California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information (California Office of Privacy Protection, 2008).
4. See e.g. L Rode, Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security? (2007) 43(5) Houston Law Review 1597:1628
5. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 573
6. KE Picanso, Protecting Information Security Under a Uniform Data Breach Notification Law (2006) 75(1) Fordham Law Review 355, 384. available at www.sciencedirect.com www.compseconline.com/publica t ions/prodclaw.htm computer law & s e c u r i t y r e v i e w 2 6 ( 2 0 1 0 ) 5 2 0 e5 3 4 0267-3649/e see front matter 2010 Mark Burdon, Jason Reid and Rouhshi Low. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.07.002
7. See e.g. FH Cate, Information Security Breaches: Looking Back and Thinking Ahead (2008) http://www.hunton.com/files/tbl-s47Details/FileUpload265/ 2308/Information-Security-Breaches-Cate.pdf; at 19 March 2010
8. FJ Garcia, Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time (2007) 17(3) Fordham Intellectual Property, Media & Entertainment LawJournal 693; PMSchwartz and E J Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913; B St. Amant, Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches (2007) 44 Harvard Journal on Legislation 505.
9. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555.
10. See generally PM Schwartz and EJ Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913
11. St. Amant, Misplaced Role of Identity Theft in Triggering Public Notice of Database Breaches (2007) 44 Harvard Journal on Legislation 505
12. SA Needles, The Data Game: Learning to Love the State- Based Approach to Data Breach Notification Law (2009) 88 North Carolina Law Review 267
13. TJ Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (2009)
14. S Lee, Breach Notification Laws: Notification Requirements and Data Safeguarding Now Apply to Everyone, Including Entrepreneurs (2006) 1(1) Entrepreneurial Business Law Journal 125
15. KE Picanso, Protecting Information Security Under a Uniform Data Breach Notification Law (2006) 75(1) Fordham Law Review 355
16. L Rode, Database Security Breach Notification Statutes: Does Placing the Responsibility on the True Victim Increase Data Security? (2007) 43(5) Houston Law Review 1597.
17. Those articles that have covered the issue in most depth are ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555 TH Skinner, Californias Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation (2003) 10(1) Richmond Journal of Law & Technology
18. J Winn, Are Better Security Breach Notification Laws Possible? (2009) Berkeley Technology Law Journal, vol.24, 2009.
19. W Mao, Modern Cryptography: Theory and Practice (2004), 24.
20. Symmetric cryptographic algorithms such as DES and AES use the same key for encryption and decryption. Asymmetric algorithms such as RSA use a different key for encryption and decryption.
21. See AJ Menezes, PC Van Oorschot and SA Vanstone, Handbook of Applied Cryptography, CRC Press series on discrete mathematics and its applications. (1997), 14. All ciphers can be broken given sufficient time and computational resources by systematically trying all possible keys. If the number of possible keys is sufficiently large, a so-called exhaustive search of the key space is infeasible because it exceeds the minimum specified time for which the cipher must remain secure. The goal of cipher design is therefore to ensure that the fastest way to break the algorithm is exhaustive search.
22. A system that relies on the secrecy of an algorithm for its security violates Kerckhoffs principle which states that no inconvenience should occur if the system falls into the hands of an adversary, because all security should reside in the secrecy of the keys. See A Kerckhoffs, La Cryptographie Militaire (1883) Journal des Sciences Militaires 5.
23. Secret algorithms such as COMP128 and A5 used in the early days of GSM mobile telephony were subsequently reverse engineered, and significant weaknesses were identified. They are now considered broken. See E Barkan, E Biham and N Keller, Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication (2008) 21(3) Journal of Cryptology 392.
24. See RJ Anderson, Why Cryptosystems Fail (1994) 37(11) Communications of the ACM 32.
25. For example, a common key length used with the widely accepted AES algorithm is 128 bits (bits are zeros and ones). When encoded as a decimal number, a 128 bit key requires up to 39 digits.
26. RJ Anderson, Why Cryptosystems Fail (1994) 37(11) Communications of the ACM 32. Passwords are the most widely used authentication mechanism but they have significant and well documented shortcomings
27. Access to the laptops filesystem is controlled at first instance by password authentication enforced by the operating system at log on. However, this can be easily bypassed by removing the laptops hard disk and accessing it using another operating system. Removal is not necessary if the laptop is configured to boot from the optical drive or USB port.
28. See e.g. Narayanan, A. and Shmatikov, V. Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In Proceedings of the 12th ACM Conference on Computer and Communications Security CCS 05, Alexandria, VA, USA, November 07e11, 2005, 364e372. The authors report a password guessing algorithm that successfully guessed 67% of passwords from a real database of 150 user selected passwords.
29. See J Yan, A Blackwell and R Anderson, Password Memorability and Security: Empirical Results (2004) 2(5) IEEE Security & Privacy 25.
30. See A Emigh, The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond (2006) 1(3) Journal of Digital Forensic Practice 245 for an overview of malware tools and attack methods.
31. RJ Anderson, Why Cryptosystems Fail (1994) 37(11) Communications of the ACM 32.
32. See National Institute of Standards and Technology, Publication SP 800-857 Part 1, Recommendation for Key Management e Part 1: General (Revised) (2007) http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1- revised2-Mar08-2007.pdf; at 20 March 2010.
33. A Maurushat, Data Breach Notification Law Across the World from California to Australia (2009) http://law.bepress.com/unswwps/flrps09/art11; at 20 March 2010.
34. Samuelson Law Technology & Public Policy Clinic, Security Breach Notification Laws: Views from Chief Security Officers (2007) http://groups.ischool.berkeley.edu/samuelsonclinic/files/cso- study.pdf; at 21 March 2010, 17.
35. Ponemon Institute, US Enterprise Encryption Trends (2009), 11.
36. US Enterprise Encryption Trends Ibid.
37. US Enterprise Encryption Trends Ibid.
38. Ponemon Institute, Encryption Trends e Australia (2009), 8.
39. However, see also Office of the Privacy Commissioner, Portable Storage Devices and Australian Government Agencies Personal Information Survey (2009), 22 which also suggests that there has been a degree of uptake amongst Australian Government agencies regarding protections for portable storage devices.
40. For example in, 2009 997 usable responses out of 14,893 surveys (6.7%); 2008 975 usable responses out of 13,448 (7.3%).
41. J Winn, Are Better Security Breach Notification Laws Possible? (2009) Berkeley Technology Law Journal, vol.24, 2009, 25. It should be noted however that Winns article is concerned with the effects of the Californian data breach notification law.
42. M E Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 573.
43. Ibid., 562.
44. Ibid., 563. See also P M Schwartz and E J Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913 regarding the role and purpose of pure notification data breach laws predicated on an acquisition trigger.
45. This causal link has been a controversial element of data breach notification laws. For a summary of the issue see FH Cate, Information Security Breaches: Looking Back and Thinking Ahead (2008) http://www.hunton.com/files/ tbl-s47Details/FileUpload265/2308/Information-Security-Breaches-Cate.pdf; at 19 March 2010
46. M Burdon, B Lane and P Von Nessen, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (2010 26(2) Computer Law & Security Review 115, 126
47. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555 563.
48. See e.g. ALASKA STAT. x 45.48.010 (Michie, 2009); ARK.coDE ANN. x 4-110-105 (Michie, 2005); FLA. STAT. x 817.5681 (2005); LA. REV. STAT. ANN. xx 51:3071 (West, 2005)
49. See e.g. KAN. STAT. ANN. xx 50-7a01 (2006); MD.coDE ANN. xx 14-3501 (2008); MASS. GEN. LAWS 93H x1 (2007); MICH.coMP. LAWS x 445.72 (2007); OHIO REV.coDE ANN. x 1349.19 (West, 2005); R.I. GEN. LAWS x 11-49.2-1 (2005); UTAH CODE ANN. xx 13- 42-101 (2006); WIS. STAT. x 895.507 (2006).
50. See e.g. ARIZ. REV. STAT. x 44-7501 (2007).
51. Directive of the European Parliament and of the Council amending Directive 2002/22/EC on universal service and users rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
52. See also PM Schwartz and EJ Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913, 933 regarding the two-tier approach of the Interagency Guidelines. These are guidelines developed by a collection of agencies involved in financial regulation that inform financial institutions about how and when to notify a breach. See Office of the Comptroller of the Currency et al, Interagency Guidance on Response Programs for Unauthorised Access to Customer Information and Customer Notice (2005).
53. S3(a)(1) Identity Theft Protection Act of 2005, S. 1408, 109th Cong. (2005).
54. S3(a)(2) Identity Theft Protection Act of 2005, S. 1408, 109th Cong. (2005).
55. However, it should be noted that the consumer notification provisions were removed in the version of the bill reported to the Senate and regulatory notification was also changed to a riskbased trigger that was subsequently adopted by other bills.
56. See M Burdon, B Lane and P Von Nessen, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (2010) 26(2) Computer Law & Security Review 115, 127 and complications related to notification under the amended e-Privacy Directive.
57. See CAL. CIV.coDE (West, 2003)x.1798.29(e) "For purposes of this section, personal information means an individuals first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted".
58. T H Skinner, Californias Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation (2003) 10(1) Richmond Journal of Law & Technology.
59. California Office of Privacy Protection, Recommended Practices on Notice of Security Breach Involving Personal Information (California Office of Privacy Protection, 2008), 10.
60. Ibid., 8. See also at page 6, "The recommendations offered here are neither regulations, nor mandates, nor legal opinions. Rather, they are a contribution to the development of "best practices" for businesses and other organisations to follow in managing personal information in ways that promote and protect individual privacy interests".
61. Only one state, Wyoming, has a data breach notification law with no encryption exemption. Instead, it has a redaction only exemption. See WYO. STAT. ANN. xx 40-12-501 (Michie, 2007). The District of Columbia also has an exemption to notification that has no reference to encryption. The laws notification trigger states that if personal data has been rendered secure so that it is unusable by an unauthorised third party, then notification is not required. See D.C.coDE ANN. x 28-3851 (2007).
62. See also ALASKA STAT. x 45.48.010 (Michie, 2009); ARK.coDE ANN. x 4-110-105 (Michie, 2005); CAL. CIV.coDE (West, 2003); COLO. REV. STAT. x 6-1-716 (2006); CONN. GEN. STAT. x 36a-701b (2006); 6 DEL.coDE ANN. xx 12B-101 (2005); FLA. STAT. x 817.5681 (2005); GA.coDE ANN. xx 10-1-911 (2005); IDAHO CODE x 28-51-104 (Michie, 2006); 815 ILL.coMP. STAT. 530/1 (2005); LA. REV. STAT. ANN. xx 51:3071 (West, 2005); MINN. STAT. x 325E.61 (2006); MONT.coDE ANN. x 30-14-1704 (2006); NEV. REV. STAT. xx 603A.010 (2006); N.J. STAT. ANN. x 56:8-163 (West, 2006); N.Y. GEN. BUS. LAWS xx 899-aa (2005); N.D. CENT.coDE xx 51-30-01 (2005); R.I. GEN. LAWS x 11-49.2-1 (2005); S.C.coDE ANN. x 39-1-90 (Law Co-op 2009); TENN.coDE ANN. x 47-18-2101 (2005); TEX. BUS. & COMM.coDE. xx 48.
63. UTAH CODE ANN. (2005) xx 13-42-101 (2006); WASH. REV.coDE x 19.255.010 (2005); WIS. STAT. x 895.507 (2006).
64. N.C. GEN. STAT. xx 75-160 (2005).
65. OHIO REV.coDE ANN. x 1349.19 (West, 2005).
66. See alsoARIZ.REV.STAT. x 44-7501 (2007);HAW.REV.STATxx 487 N-1 (2007); IND.coDE xx 24-4.9-3-1 (2006); IOWA CODE x 715C.1 (2008);KAN.STAT.ANN. xx 50-7a01 (2006);MD.CODEANN. xx 14-3501 (2008);MICH.COMP. LAWS x 445.72 (2007);MO. REV.STAT. x 407.1500 (2009);NEB.REV.STAT. xx 87-801 (2006); N.H.REV.STAT.ANN. xx 359- C:19 (2007); OR. REV. STAT. x 646A.600 (2007); 73 PA.coNS. STAT. x 2303 (2006); 9 VT. STAT. ANN. xx 2430 (2007); VA.coDE ANN. x 18. 2e186.6 (Michie, 2008);W. VA.coDE xx 46A-2A-101 (2008)
67. See e.g. 6 DEL.coDE ANN. xx 12B-101 (2005); FLA. STAT. x 817. 5681 (2005); IDAHO CODE x 28-51-104 (Michie, 2006); MONT.coDE ANN. x 30-14-1704 (2006); NEV. REV. STAT. xx 603A.010 (2006); OKLA. STAT. x 74e3113.1 (2006); R.I. GEN. LAWS x 11-49.2-1 (2005); TENN.coDE ANN. x 47-18-2101 (2005); TEX. BUS. & COMM.coDE. xx 48.001 (2005); WASH. REV.coDE x 19.255.010 (2005).
68. Additional provisions include "redaction", see e.g. ARK.coDE ANN. x 4-110-105 (Michie, 2005) or data that is protected "by another method to make it unreadable or unusable", see e.g. UTAH CODE ANN. xx 13-42-101 (2006).
69. The first state to use this definition of encryption was North Carolina and was subsequently adopted by other states. See e.g. N.C. GEN. STAT. xx 75-60 (2005). See also ARIZ. REV. STAT. x 44- 7501 (2007); HAW. REV. STAT xx 487 N-1 (2007); IOWA CODE x 715C.1 (2008); MO. REV. STAT. x 407.1500 (2009); NEB. REV. STAT. xx 87-801 (2006); OR. REV. STAT. x 646A.600 (2007); 9 VT. STAT. ANN. xx 2430 (2007).
70. Likewise, the first state to adopt this definition was Ohio which was again followed by other states. See e.g. OHIO REV.coDE ANN. x 1349.19 (West, 2005). See also IND.coDE xx 24-4.9-3-
71. (2006); KAN. STAT. ANN. xx 50-7a01 (2006); MD.coDE ANN. xx 14-3501 (2008); MICH.coMP. LAWS x 445.72 (2007); N.H. REV. STAT. ANN. xx 359-C:19 (2007); OHIO REV.coDE ANN. x 1349.19 (West, 2005); 73 PA.coNS. STAT. x 2303 (2006); VA.coDE ANN. x 18.2e186.6 (Michie, 2008); W. VA.coDE xx 46A-2A-101 (2008).
72. See MASS. GEN. LAWS 93H x1 (2007). The full definition of encryption reads "encryption is the transformation of data through the use of a 128 bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation." and ME. REV. STAT. ANN. 10, xx 210-B-1346 (West, 2007). "Encryption means the disguising of data using generally accepted practices".
73. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 573.
74. S.3(f)(2)(A)&(B) Data Accountability and Trust Act of 2009, H.R. 2221, 111st Cong. (2009).
75. See Data Breach Notification Act of 2009, S. 139, 111st Cong. (2009); Personal Data Privacy and Security Act of 2009, S. 1490, 111st Cong. (2009).
76. S3(f)(2)(B) Data Accountability and Trust Act of 2009, H.R. 2221, 111th Cong. (2009).
77. It should also be noted that the Personal Data Privacy and Security Act of 2009, S. 1490, 111st Cong. (2009) was also recommended by committee for a full senate vote. This bill has an acquisition-based trigger but with a risk-based exemption that provides similar effect to a risk-based trigger.
78. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555
79. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (2008): 1692.
80. Art. 4(c) e-Privacy Directive.
81. See Open Security Foundation, Dataloss Statistics (2009) http://datalossdb.org/statistics; at 19 August 2009. The DataLossDB website has chronicled a dramatic increase in the number of data breach incidents from the inception of the first data breach notification law. In 2003, 24 incidents were notified but 725 incidents were notified in 2008 and 442 in 2009. The most common type of data breaches were stolen laptops (20%), computer hacking incidents (16%) and inadvertent publication on the Internet (13%).
82. For this sub-section, we use the phrase "potentially breached personal information" to represent personal information that may or may not have been acquired in a data breach involving encryption protections because the data will only be acquired if the encryption can be defeated (e.g. in category 2 by a sufficiently skilled and motivated party and in category 3 if the encryption used was bypassed).
83. WEP is an encryption protocol for IEEE 802.11 wireless networks. Wireless networks broadcast network traffic on standard frequencies that can be received by an adversary who is within broadcast range. The ciphertext of network traffic is therefore assumed to be publicly known.
84. See R Housley and W Arbaugh, Security Problems in 802.11- based Networks (2003) 46(5) Communications of the ACM 31.
85. Tools such as the freely available Aircrack key cracking program can recover WEP encryption keys from protected 802.11 wireless signals in a matter of minutes. See Aircrack-Ng, Homepage (2009) http://www.aircrack-ng.org; at 20 March 2010.
86. J Pereira, Breaking The Code: How Credit-Card Data Went Out Wireless Door e In Biggest Known Theft, Retailers Weak Security Lost Millions of Numbers, The Wall Street Journal (New York), 4 May 2007, A1.
87. Given that 20% of dataloss incidents involve stolen laptop computers, hard drive encryption is an increasingly popular strategy to mitigate the risk of personal information loss arising from stolen laptop computers. See Open Security Foundation, Dataloss Statistics (2009) http://datalossdb.org/ statistics; at 19 August 2009.
88. See Microsoft, Bitlocker (2009) http://www.microsoft.com/windows/windows- 7/features/bitlocker.aspx; at 20 March 2010.
89. See Truecrypt, Homepage (2009) http://www.truecrypt.org; at March 2010.
90. Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., and Felten, E.W. 2008. Lest We Remember: Cold Boot Attacks on Encryption Keys. In Proceedings of the 17th Conference on Security Symposium (San Jose, CA, July 28eAugust 01, 2008). USENIX Association, Berkeley, CA, 45e60.
91. For example, see Passware Kit Version 9.5 from Passware Inc. as reported in L Seltzer, New Passware Can Crack PGP and BitLocker- Protected Systems" (2009) http://blogs.pcmag.com/securitywatch/2009/12/new-passware-can-crack-pgp- and.php; at 3 March 2010.
92. For a further discussion of weaknesses of authentication methods see: L OGorman, Comparing Passwords, Tokens, and Biometrics for User Authentication (2003) 91(12) Proceedings of the IEEE 2021.
93. J Pereira, Breaking The Code: How Credit-Card Data Went Out Wireless Door e In Biggest Known Theft, Retailers Weak Security Lost Millions of Numbers, The Wall Street Journal (New York), 4 May 2007, A1.
94. For example, in the TJX data breach it is estimated that the unauthorised party had access to internal systems for 18 months before the intrusion was detected.
95. See T H Skinner, Californias Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation (2003) 10(1) Richmond Journal of Law & Technology
96. J Winn, Are Better Security Breach Notification Laws Possible? (2009) Berkeley Technology Law Journal, Vol.24, 2009, 14.
97. TJ Smedinghoff, Trends in the Law of Information Security (2005) 17 Intellectual Property & Technology Law Journal 1(5)
98. J Winn, Are Better Security Breach Notification Laws Possible? (2009) Berkeley Technology Law Journal, vol.24, 2009, 4
99. J Winn, Can a Duty of Information Security Become Special Protection for Sensitive Data Under US Law? (2008) SSRN eLibrary; AM Matwyshyn, Harbouring data: Information Security, Law, and the Corporation (2009), 7e13.
100. See TJ Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (2009), 16 regarding regulation of the health care sector under the Health Insurance Portability and Accountability Act of 1996 and financial sector under the Gramm Leach Bliley Financial Services Modernization Act of 1999.
101. Ibid., 10 such as corporate financial data under the Sarbannes Oxley Act of 2002.
102. TJ Smedinghoff, Trends in the Law of Information Security (2005) 17 Intellectual Property & Technology Law Journal 1(5), 1.
103. For example, see the discussion about reasonable or appropriate security at TJ Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (2009), 16.
104. TJ Smedinghoff, Trends in the Law of Information Security (2005) 17 Intellectual Property & Technology Law Journal 1(5), 3
105. TJ Smedinghoff, The State of Information Security Law: A Focus on the Key Legal Trends (2009), 17.
106. See e.g. M Isikoff, Missing: A Laptop of DEA Informants (2004) Newsweek http://www.newsweek.com/id/53958; at 17 March 2010 regarding the loss of a laptop containing informant details relating to investigations conducted by the Drug Enforcement Administration in the US. See also BBC News, MoD Inquiry After Laptop Stolen from Headquarters (2009) http://news.bbc.co.uk/2/hi/uk-news/ 8409363.stm; at 17 March 2010 regarding the theft of a laptop from MoD headquarters in the UK and BBC News, Previous Cases of Missing Data (2009) http://news.bbc.co.uk/2/hi/uk-news/8409405. stm; at 17 March 2010 for other instances of security failures involving laptops and sensitive UK government information.
107. See T H Skinner, Californias Database Breach Notification Security Act: The First State Breach Notification Law is Not Yet a Suitable Template for National Identity Theft Legislation (2003) 10(1) Richmond Journal of Law & Technology.
108. Ibid. "Encryption, however, is not supposed to be the primary source of security. It is designed to supplement an overall riskbased program. It is part of the solution, not the solution".
109. In the case of category 3 type usage, the organisation may simply not be aware that unencrypted personal information has leaked to an unauthorised entity due to inadequacies in its intrusion detection and security event monitoring practices. Since the personal information exists in encrypted form it may misguidedly assume that a notifiable breach cannot occur.
110. See J Winn, Are Better Security Breach Notification Laws Possible? (2009) Berkeley Technology Law Journal, vol.24, 2009, 14 "companies can enjoy the benefit of the safe harbour by the use of weak encryption technologies without adopting a systemic, risk management-based approach to information security". See also C Carlson, Storm Brews Over Encryption Safe Harbour in Data Breach Bills (2005) http://www.eweek.com/c/a/Government-IT/Storm- Brews-Over-Encryption-Safe-Harbor-in-Data-Breach-Bills; at 11 January 2010 and the comments by Bruce Schneier.
111. See e.g. ARIZ. REV. STAT. x 44-7501 (2007); HAW. REV. STAT xx
112. N-1 (2007); IND.coDE xx 24-4.9-3-1 (2006); KAN. STAT. ANN. xx 50-7a01 (2006); ME. REV. STAT. ANN. 10, xx 210-B-1346 (West, 2007); MD.coDE ANN. xx 14-3501 (2008); MASS. GEN. LAWS 93H x1 (2007); MICH.coMP. LAWS x 445.72 (2007); MO. REV. STAT. x 407. 1500 (2009); N.H. REV. STAT. ANN. xx 359-C:19 (2007); N.C. GEN. STAT. xx 75-60 (2005); OHIO REV.coDE ANN. x 1349.19 (West, 2005); W. VA.coDE xx 46A-2A-101 (2008).
113. See e.g. ALASKA STAT. x 45.48.010 (Michie, 2009); ARK.coDE ANN. x 4-110-105 (Michie, 2005); COLO. REV. STAT. x 6-1-716 (2006); GA.coDE ANN. xx 10-1-911 (2005); 815 ILL.coMP. STAT. 530/1 (2005); LA. REV. STAT. ANN. xx 51:3071 (West, 2005); N.Y. GEN. BUS. LAWS xx 899-aa (2005); S.C.coDE ANN. x 39-1-90 (Law Co-op 2009); 9 VT. STAT. ANN. xx 2430 (2007); WIS. STAT. x 895.507 (2006).
114. Health Insurance Portability and Accountability Act (HIPAA) of 1996 (P.L.104-191).
115. Department of Health and Human Services, 45 CFR Parts 160 and 164 e Breach Notification for Unsecured Protected Health Information (2009), 42742 "Because redaction is not a standardized methodology with proven capabilities to destroy or render the underlying information unusable, unreadable or indecipherable, we do not believe that redaction is an accepted alternative method to secure paper-based protected health information. As such, under the guidance redaction should not be given the same weight as encryption and other methods of securing technology. Only destruction of paper records will suffice as a requirement and redaction is not enough. The note makes clear that redaction is only to be used with paper records".
116. Such exemptions require a limited process of review based on whether the encryption adopted meets a specified definition of encryption, before an exemption can be relied upon.
117. See e.g. IND.coDE xx 24-4.9-3-1 (2006)x9-2-5 "Data are encrypted for purposes of this article if the data: (1) have been transformed through the use of an algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key; or (2) are secured by another method that renders the data unreadable or unusable"[emphasis added].
118. See also KAN. STAT. ANN. xx 50-7a01 (2006); MD.coDE ANN. xx 14-3501 (2008); MICH.coMP. LAWS x 445.72 (2007); N.H. REV. STAT. ANN. xx 359-C:19 (2007).
119. S3(f)(1)Data Breach Notification Act of 2009, S. 139, 111st Cong. (2009).
120. S3(f)(2)Data Breach Notification Act of 2009, S. 139, 111th Cong. (2009).
121. For example, S3(f)(2) requires, within 270 days of enactment of DATA that the Federal Trade Commission "identify any additional security methodology or technology, other than encryption, which renders data in electronic form unreadable or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data".
122. See e.g.computer Security Institute and Federal Bureau of Investigation, Computer Crime and Security Survey (2006) 21 and the unwillingness of breached entities to notify even law enforcement agencies.
123. See e.g. S A Needles, The Data Game: Learning to Love the State-Based Approach to Data Breach Notification Law (2009) 88 North Carolina Law Review 267, 308
124. K E Picanso, Protecting Information Security Under a Uniform Data Breach Notification Law (2006) 75(1) Fordham Law Review 355, 378 and Samuelson Law Technology & Public Policy Clinic, Security Breach Notification Laws: Views from Chief Security Officers (2007) http://groups.ischool. berkeley.edu/ samuelsonclinic/files/cso-study.pdf; at 21 March 2010, 32 commenting "However, because encryption is an evolving technology, it seems better suited for definition and reevaluation by regulatory agencies than strict definitions in statutes"
125. Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (2008), 1692.
126. Ibid. These include the type of personal information breached, the nature of the agency or organisation that encountered the breach, and the risk of harm that would be caused by the breach.
127. See Art 4 of the e-Privacy Directive "Notification of a personal data breach to a subscriber or individual concerned shall not be required if the provider has demonstrated to the satisfaction of the competent authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the security breach. Such technological protection measures shall render the data unintelligible to any person who is not authorised to access it".
128. For example, appropriate is defined in the Oxford English Dictionary as "specially fitted or suitable" and appropriate technology can mean "technology considered suitable for a particular application". Whereas adequate is defined as "commensurate in fitness; equal or amounting to what is required; fully sufficient, suitable, or fitting". As such, encryption can be suitable for the purpose of protecting personal information, but as we have shown with our category 2 and category 3 scenarios of encryption use, just because it is considered suitable for a particular purpose it should not presuppose that the use of encryption is commensurate in fitness or fully sufficient to fulfil that purpose.
129. ME Jones, Data Breaches: Recent Developments in the Public and Private Sectors (2007) 3 I/S: A Journal of Law and Policy for the Information Society 555, 580.
130. See PM Schwartz and EJ Janger, Notification of Data Security Breaches (2007) 105(5) Michigan Law Review 913, 940 and B Lane et al, Stakeholder Perspectives Regarding the Mandatory Notification of Australian Data Breaches (2010) forthcoming Media and Arts Law Review.
131. See e.g. M Burdon, B Lane and P von Nessen, The Mandatory Notification of Data Breaches: Issues Arising for Australian and EU Legal Developments (2010) 26(2) Computer Law & Security Review 115, 123e4.
132. See Art 4 of the e-Privacy Directive.