Indiana Legislation: Part 2
In a blog posting several weeks ago, I lamented Indiana’s not having been able to pass new and better legislation concerning protection of personal information. You may recall that current Indiana law in effect requires notifying potential data security breach victims only if a portable electronic device containing their personal data is not password-protected or if the password has been disclosed. Both the Indiana House and Senate have now passed an amendment to the existing law requiring that potential data security breach victims be notified unless the data on a portable electronic device is encrypted and the encryption key has not been disclosed. This change will become effective on July 1 this year.
The new legislation in Indiana is by no means anywhere near perfect. For one thing, the strength of encryption is not specified. (This weakness in Indiana’s new legislation is the same weakness that has limited the effectiveness of California law SB1386.) A company could therefore use the most rudimentary of encryption algorithm, something like ROT13 (i.e., a simple cipher in which each letter in plaintext is converted to the letter that is 13 positions to the right of it in the alphabet), to encrypt customer data. If the computer on which the data resided were compromised or stolen, decrypting the data might thus not be very difficult. Additionally, the provision in previous versions of Indiana’s protection of personal information bill that required that the state attorney general be notified of data security breaches fell by the wayside in the most recent version of the bill. This provision was strongly opposed by a number of big, powerful corporations; accordingly, a number of Indiana legislators omitted it from the version of the bill that passed.
Over the years considerable progress in national cybercrime legislation, particularly in the US, Canada and Europe, has been made. States within the US have also achieved considerable progress. For example, 39 of the 50 states in the US have data security breach notification laws. A small but growing number of states now also require some level of protection for personal and financial data. Obviously, there is still a long, long way to go, but at least seeing changes such as the recent amendment to Indiana’s law concerning protection of personal information is very much a step in the right direction.
And while we are at it, let’s be sure to give a word of praise to both State Representative Matt Pierce, the author of the legislation, and a persistent graduate student from Indiana University named Chris Saghoian. Last year Saghoian contacted Rep. Pierce, requesting that he examine loopholes in the protection law as it was then and proposing ways to close them. Rep. Pierce should be credited with being open minded and knowing the right thing to do once he understood it. Saghoian also deserves considerable credit. If Saghoian had not taken the degree of initiative that he took, the new legislation would almost certainly never have been passed. Saghoian is young—he is still in school—yet he has already accomplished quite a feat. Think of the potential he has to make a tremendous impact over the span of his professional career!