This update/clarification post explains how the proposed Washington state data breach notification law is really treating encrypted data and how it may actually be expanding the data breach safe harbor exceptions under that law.
I recently blogged about a newsletter I received from the Washington State Attorney General in which the AB was calling for a new data breach notification law for the State of Washington. Of the several points mentioned for the new breach notification law, the one that really stood out was the call to eliminate the blanket notification exemption for encrypted data that is the norm with these laws.
This point also got the attention of my friend Jim Brashear (@JFBrashear) who knows a thing or two about encryption as General Counsel for Zix, the world’s leader in email encryption. Not only did Jim find a link to the actual newsletter (HERE), but he shared with me some excellent analysis on what is in the proposal as well as the issue of encryption in general.
The issue of encryption is particularly relevant now, given some of the assinine talk we have been hearing about the US and UK’s possible cybersecurity “solutions” that could involve outlawing certain forms of encryption. (yeah — when you get up off the floor, you can read more here: Obama and Cameron’s ‘solutions’ for cybersecurity will make the internet worse).
Because of that, and because I always learn a lot from my conversations with Jim, I am sharing some of his insight with you that comes from an email from Jim:
The press release notes that current Washington law “does not require notifications concerning the release of ‘encrypted’ data, even when the encryption is easy to break or there is reason to believe that the encryption ‘key’ has been stolen.”
If any state data breach legislation (or rules) were to eliminate the notice exception for encrypted data, that would be bad [for everyone]. More importantly, that sort of law makes no sense. It would remove one incentive for businesses to use reasonable data protection.
But the legislation that the AG is advocating does not actually eliminate the exception for encrypted data … even though the bills delete the specific references to encryption. The legislation provides that “Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity.” That would be true in the case of strong encryption where the key has not been compromised.
(1) Any person or business that conducts business in this state and that owns or licenses ((
computerized)) data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of this state whose (( unencrypted)) personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (( The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection (3) of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.)) Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of criminal activity.
THE TAKEAWAY: This proposed legislation does not eliminate the encryption safe harbor in situations where (1) strong encryption was used and (2) the encryption’s effectiveness has not been compromised. It does, however, broaden the safe harbor to include other situations where, even though there has been a breach, it “is not reasonably likely to subject consumers to a risk of criminal activity.”
The litigation to determine this “reasonably likely” standard could get real fun and the “experts” in this area will have a field day!
Shawn Tuma (@shawnetuma) is a cybersecurity lawyer business leaders trust to help solve problems with cutting-edge issues involving cyber risk and compliance, computer fraud, data breach and privacy, and intellectual property law. He is a partner at Scheef & Stone, LLP, a full service commercial law firm in Texas that represents businesses of all sizes across the United States.