Comments on: Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption

By: Andrew M. Baer

Andrew M. Baer — Wed, 11 Nov 2009 10:26:30 +0000

I agree it would be helpful to have an encryption standard that is universally accepted as best practices (although this will continue to evolve as the security threat grows more sophisticated). PCI DSS (required by the Nevada statute for payment card transactions) and its supporting documents partially fulfill this role, although PCI DSS is not applicable to everyone and IT experts point out that PCI DSS compliance can still leave vulnerabilities.

In regard to a nationally required encryption standard, I do not see this happening the near future because right now Congress is (a) preoccupied with health care, and (b) very concerned about imposing costly IT requirements on small and medium-sized businesses at a time when the national unemployment rate is 10.2%. The two big national data security bills being considered right now, H.R. 2221 and S. 1490, do not contain an encryption standard. The Massachusetts data security regulation, 201 CMR 17.00, previously required 128-bit encryption, but after businesses complained about this and other technology-specific provisions, it was amended in August (and finalized just last week) to keep the encryption requirement flexible.

So, for at least the next year or two, outside of specialized areas like HIPAA, I don't see a specific encryption standard being adopted by the federal or state governments. With that said, if a business is using a standard that clearly falls below best practices and then suffers a data breach (just as TJX used a wireless encryption standard that the PCI Security Council had criticized as vulnerable), you can expect the FTC will step in and plaintiffs' lawyers will file negligence claims. In other words, the FTC and the courts will set the standard de facto.

By: Mike

Mike — Tue, 10 Nov 2009 10:48:34 +0000

This is the first step in what will be an incredibly long process in the regulation of data protection methods. Clearly, all data needs to be encrypted because there are people who want to steal every piece of it they can get their hands on. I foresee two things happening in this vein. First, there will be a standard in encryption that will emerge and be adopted by the government. Second, the government will acquire this company and then push their standard on the country. with too many cooks, the encryption issue will remain muddled and we will always be vulnerable.

By: Angel Djambazov

Angel Djambazov — Tue, 09 Jun 2009 15:05:18 +0000

Thanks Don, updated information on the Bill 227 and Nevada's new Data Security Regulation posted in article.

By: daily dispatch | PLLDAILY

daily dispatch | PLLDAILY — Tue, 09 Jun 2009 11:21:30 +0000

[...] Court House News; Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption, ReveNews; Cameras toe the line between privacy, security, delmarvaNow; Publishing David Carradine photo. Too [...]

By: Don Aplin

Don Aplin — Tue, 09 Jun 2009 06:35:32 +0000

Nevada law was amended, gov. signed the bill recently.