Bills pending in the Michigan and Washington state legislatures would mandate that personal information stored in business computers be â€œencrypted.â€ Legislatures are unwise to engage in such micro-management.
Pending Michigan Senate Bill (SB) 1022 would forbid a business from storing personally identifiable information in a database unless the information is encrypted. Similarly, in Washington State, pending House Bill (HB) 2574 would mandate that a business employ encryption when storing personal information on an Internet-connected computer server.
When a legislature specifies a technology like â€œencryption,â€ it goes beyond stating a goal and requiring that the goal be met. The legislature selects the precise technical means for reaching the goal. In other words, when a legislature dictates technical measures like â€œencryption,â€ it assumes the role of a professional engineer. But state legislatures are not qualified to provide professional engineering services!
Encryption is a powerful data security tool. But it is not necessarily always the best way to achieve a data security goal. The successful implementation of encryption in a specific setting involves many issues and trade offs. For example, a panel of security experts recently pointed out that the encryption of data in storage (as opposed to data in transit) raises vexing questions about the key infrastructure that underpins the encryption. When an enterprise encrypts lots of its stored data, a hacker has incentive to attack the encryption schemeâ€™s key infrastructure. If the hacker can defeat the key infrastructure, she can deny the enterprise access to its data. That means the hacker can put the enterprise out of business, or blackmail the enterprise. Thus, the indiscriminate use of encryption may increase the overall social risk associated with stored private data.
Data security is a complex field of engineering. State legislatures should steer clear of it.
In 1995 the Utah legislature adopted pioneering legislation to stimulate growth of public key infrastructure. The legislature received lots of detailed advice from experts. The legislature crafted legislation that was very technically specific. At the time, and for several years thereafter, some experts hailed the Utah legislation as a model and as a great catalyst for e-commerce. However, it is safe to say today that the Utah Digital Signature Act of 1995 was an absolute bust. It achieved none of its goals. It was far too technically specific to be of any value to industry.
The Michigan and Washington legislatures should remember the Utah experience as they draft legislation. A wise legislature might require, for example, that businesses use â€œreasonable security proceduresâ€ (a general goal) rather than that they use â€œencryptionâ€ (a specific technology).
Related Posts: On this day...
- VLC reaches 2.0 - 2012
- Order of Odd-Fish, a funny, mannered, hilariously weird epic romp - 2011
- Guy that got beat-up by Epic Beard Man, interviewed - 2010
- London councils issue themselves parking tickets, then fight them in court - 2010
- Girl stuck in Pittsburgh airport overnight shoots epic horsing around video - 2010
- Forget your photo ID for your EasyJet flight? Just go print one up! - 2009
- Suburban gold-selling "Tupperware parties" - 2009
- Did you see The Pirate Bay front page? - 2009
- Bash 4.0 released - 2009
- Can 4chan Turn 300 Million Pageviews Into A Business? - 2009