When it comes to data security legislation, do you prefer the perspective of the White House, Capitol Hill or Beacon Hill? This is not a trick question.
While the White House refined its philosophy in the Cyberspace Policy Review (CPR) released in May, legislators in Washington had already introduced draft legislation in April embodying different approaches to data security.
The House of Representatives’ version, H.R. 2221, also known as the Data Accountability and Trust Act, appears to be a vehicle with which the executive and legislative branches of government will debate their differing cybersecurity philosophies. How those approaches differ could have a big impact on state laws.
The Cyberspace Policy Review focuses on long-term security policy and strategy rather than immediate solutions. We recently wrote about several significant recommendations from the report, which include:
- A proposal to consider federal issuance of national authentication credentials, similar to a passport.
- Increasing liability for failing to implement level-playing-field security controls.
- A recommendation to align federal and state laws to eliminate confusion and contradiction.
The White House report, overseen by Melissa Hathaway, states that government legislation has been “focused on the particular issue or technology of the day” and that current law and policy is a “complex patchwork,” while recommending an “integrated approach that combines … flexibility … and the protection of civil liberties.”
Proscribing specific technical approaches and technologies such as encryption has already generated controversy in data privacy and security laws, including Massachusetts’ 201 CMR 17.
One aspect that makes Massachusetts regulations in their current form the most onerous or far-reaching in the U.S., depending on your point of view, is mandated 128-bit encryption. However, mandating specific methods and technologies could prove inflexible and, rapidly, obsolete.
The White House report did not take a hard and fast position one way or the other, but its position is revealed in the CPR: “Privacy enhancing technologies such as encryption or controlled access authentication could ameliorate some risks in sharing information.”
Meanwhile, HR 2221 defines encryption as:
“data in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.”
What are your views and concerns about state data protection laws vs. federal legislation or polices from the executive branch? Do you think encryption should be included? If so, what kind? I’d like to hear. Write to firstname.lastname@example.org or reply to @SecuritySources on Twitter.