Home > Uncategorized > Indiana Legislators Consider Security-Related Legislation

Indiana Legislators Consider Security-Related Legislation

In connection with my being one of the editors of the SANS NewsBites. twice every week I look though potential security-related news items. Yesterday I read that Indiana state lawmakers are considering proposed legislation that would mandate encryption of customers’ personal information. The purpose is to protect individuals against identity theft in case of unauthorized access to such information. The Indiana House and Senate have different versions of this bill. The House version, Indiana House Bill 1197, differs from the other in that it would additionally require both that commercial entities employ strong encryption for customer-related information and that they report data security compromises to potentially affected individuals as well as to the office of the attorney general. Reported breaches would then be available on a public Web site.

The proposed legislation is by no means watertight. For example, an individual’s name and social security number are considered personal information, but numerous categories of information that could potentially comprise personal information are not mentioned. Still, the proposed legislation represents a big step forward in that it would require upfront protection of customer information, not merely post hoc measures such as prompt notification in case of a potential data security breach (which is still considerably better than requiring no control measures whatsoever)—a real potential victory for the general public and a real setback for perpetrators of identity theft. The requirement for strong encryption and also notification of data security breaches to the attorney general’s office in the House version of the proposed legislation would also be extremely beneficial to the public. Perhaps most importantly, however, if Indiana were to pass this legislation, it would set a new standard for other states (and, hopefully, the federal government at some point in time, and perhaps even other countries) to follow.

Things that appear to be just fine are never as good as they seem to be, and the Indiana legislation is no exception. Strong forces in the form of corporate giants such as AT&T, Microsoft, and Lexus-Nexus strongly oppose this legislation (specifically, the House’s version of the legislation) because of the requirement to report data security breaches to the Indiana attorney general’s office, and are working vigorously to defeat this legislation. These organizations’ opposition is not void of logic. For one thing, the requirement to report data security breaches to the attorney general’s office would mean government involvement in what would almost always be an already complex and potentially charged situation. Additionally, a publicly available site that lists information about data security breaches could, if not designed, implemented and secured very wisely, turn into a catastrophe.

It appears to me that the more critical part of the legislation as far as the potential benefit to the public goes is requiring encryption of personal information. Because the provisions for encryption and for reporting are in the same bill, if the corporate giants are successful in their efforts, encryption of customer data will not be required. This would be a real shame. The Indiana legislature would then in effect have to start over in its effort to pass this kind of legislation, but almost certainly with less momentum than before. One can only thus hope that the House and the Senate can reach a compromise concerning the provisions of this proposed legislation, and that whatever this compromise is, it will retain much of the strength of the original versions and that it will also now be acceptable to the corporations that oppose the House’s version.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.