New State Laws Could Make Encryption Widespread

New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.

Legacy Systems?

[jellomizer]

There are still people running legacy systems that do not support encryption. Nor is it fast, easy, cheap, to get them to do so.
Also I could see huge problems later on when the only IT guy who knows the key is fired, hit by the obligatory train, or quits. Forcing encryption isn't the answer but penalties and legal repercussions if your data stolen is more appropriate.
While it is not the right time to politically say this. It is a case where they don't really need government intervention as most companies will regulate themseles on this front especially if they don't have immunity to legal problems if something goes wrong.

It seems like the Democrats are doing the same thing the republicans did after 9/11. Just as after 9/11 the Republicans pushed Security to an extremist state, Democrats are using the financial crisis to push down all those heave regulations down our mouth. Jast as 7 years ago. They went those Damn Democrats were to soft on security and look what happened, now the democrats are going, Those damn republicans they were so soft on regulating companies and look what happened.
Same old Same old... Sigh....

What happens if someone is crossing the US border?

[apathy maybe]

Or if they are in the UK.

Let's say that this (good) idea is properly implemented (rather then just pretend implemented), and all the laptops have full disk encryption in place.

Now someone with one of these laptops travels outside the US, and then flies back in and is asked to boot up the laptop. They will do so of course, and then, suddenly, there is no point to having the encryption, at that point. Sure it's still useful for cases where the laptop gets left on a train or something (assuming that they also require a password when opening a closed laptop, something that should be the case anyway), but it doesn't stop over-zealous and possibly corrupt government agents from looking over the info anyway.

It is even worse if such a laptop goes with someone who knows the password to the UK...

-----

Over all though? Great idea, and anything that opens more people up to the idea of encryption and the need for it is probably good as well. The more people who can prevent the govt. from looking at their data, the better. (And see a previous comment in a different story about hiding data to prevent the govt. from forcing you to hand over your keys.)

Oh Lord

[TheHawke]

Here comes the flood of complaints that their systems are slow, not responsive or too busy.

We have gunfights with our encryption client almost on a daily basis, being a resource hog and all that.

"nanny state"?

[Garse Janacek]

Okay, why is this already tagged "nanny state"? Is it somehow a fascist imposition on the free market to make companies protect the personal data of their customers? Aren't slashdot articles run all the time criticizing how lax many corporations (including financial companies that should know better) are with their customers' data?

Why so expensive

[LordKronos]

The Massachusetts government estimates that a business with 10 employees will need to spend $3,000 up front, plus an additional $500 a month in order to comply. Security executives at larger firms said they expect to spend a similar amount per employee.

It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.

Corporate interest

[crow]

I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.

[Note: I work for EMC, but have no inside knowledge related to this topic.]

Re:Legacy Systems?

[Anonymous Coward]

I call BS. "Legacy systems that do not support encryption"? What does that even mean? Are these systems non-Turing-complete? Can they not run GnuPG? Is your claim that current cryptographic software is too resource-intensive to run on older systems? WTF?

Re:Legacy Systems?

[yttrstein]

What currently operational (and I mean operational, I dont mean just turned on and sitting in a corner gathering dust with a little yellow light peering from between paddle switches) legacy operating system can you in no way compile OpenSSL on?

Re:nannystate tag?

[peragrin]

a laptop is stolen weekly with 10000 credit card numbers on it. Yet the companies only respond to it when it affects their bottom line. This has to be law as it will take another decade before most companies even think about it.

Re:Bad news

[MindKata]

"Information wants to be free."

I don't know about free. Anything but free. This is government admiting they expect widespread monitoring of communications. For example, in the case of the UK, that means all business data will be scanned along with peoples emails, so it makes sense that governments and companies with international offices, are going to be worried their internal email documents are going to be intercepted.

Re:Why so expensive

[Beryllium Sphere(tm)]

Someone here must have been through an enterprise-wide encryption rollout. What did yours cost?

minimal effort

[Wyck]

I wonder if people will simply ROT13 [wikipedia.org] their data for cheap token compliance.

Problem for medical practices

[Fencepost]

A requirement for on-disk encryption could actually be a real problem for many medical practices, because an astonishing number are still using slightly-updated versions of practice management software from the early- to mid-90's on systems like SCO's OpenServer 5.0.x. I support a fair number of those practices.

We also have one practice running a dedicated system for ophthalmologists that is so old it doesn't understand networks. Users are connected via serial port expansion units. Makes it a pain when they have multiple sites and the telco says "We're dropping support for those 56k dedicated lines you've been using for 15 years."

Re:Okay whew

[ShieldW0lf]

Identity theft causes a breakdown in the system that allows a few very rich to wield excessive and arbitrary power while the majority struggles to meet their needs while surrounded by plenty.

I'm not rich. I don't expect to be rich, I don't desire to be rich. To be rich is to stand on the neck of your fellow man and steal his share, and to spend each day ensuring that the exploitation isn't disrupted.

I hope we see more identity theft. This system shouldn't exist, and the sooner it shatters due to its own inherent nature, the happier I will be.

I've got an idea for a much better law. All data must be placed on public servers, like Wikileaks, where anyone can examine it at any time. Anyone attempting to conceal information under any circumstances is guilty of conspiracy and treason. That would make it pretty hard to steal someones identity; you'd be caught for sure.

Re:You know why encryption isn't used more often?

[jonaskoelker]

openssl des3 -d -salt -in file.des3 -out file.txt -k horsefeathers

Your password can be read in /proc; top will gladly do the work for me. Don't ever give the password as part of the command line.

And you're wrong, using crypto isn't hard. I use then full-disk encryption Ubuntu has spoon-fed me. When I boot, I enter "hunter2" at the password prompt. That's it.