IT Compliance Advisor

Jul 29 2009   9:59PM GMT

Government bodies’ dueling legislative answers to data protection laws

SarahCortes Sarah Cortes Profile: SarahCortes

When it comes to data security legislation, do you prefer the perspective of the White House, Capitol Hill or Beacon Hill? This is not a trick question.

While the White House refined its philosophy in the Cyberspace Policy Review (CPR) released in May, legislators in Washington had already introduced draft legislation in April embodying different approaches to data security.

The House of Representatives’ version, H.R. 2221, also known as the Data Accountability and Trust Act, appears to be a vehicle with which the executive and legislative branches of government will debate their differing cybersecurity philosophies. How those approaches differ could have a big impact on state laws.

The Cyberspace Policy Review focuses on long-term security policy and strategy rather than immediate solutions. We recently wrote about several significant recommendations from the report, which include:

  • A proposal to consider federal issuance of national authentication credentials, similar to a passport.
  • Increasing liability for failing to implement level-playing-field security controls.
  • A recommendation to align federal and state laws to eliminate confusion and contradiction.

The White House report, overseen by Melissa Hathaway, states that government legislation has been “focused on the particular issue or technology of the day” and that current law and policy is a “complex patchwork,” while recommending an “integrated approach that combines … flexibility … and the protection of civil liberties.”

Proscribing specific technical approaches and technologies such as encryption has already generated controversy in data privacy and security laws, including Massachusetts’ 201 CMR 17.

One aspect that makes Massachusetts regulations in their current form the most onerous or far-reaching in the U.S., depending on your point of view, is mandated 128-bit encryption. However, mandating specific methods and technologies could prove inflexible and, rapidly, obsolete.

The White House report did not take a hard and fast position one way or the other, but its position is revealed in the CPR: “Privacy enhancing technologies such as encryption or controlled access authentication could ameliorate some risks in sharing information.”

Meanwhile, HR 2221 defines encryption as:

“data in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.”

What are your views and concerns about state data protection laws vs. federal legislation or polices from the executive branch? Do you think encryption should be included? If so, what kind? I’d like to hear. Write to editor@searchcompliance.com or reply to @SecuritySources on Twitter.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: