Food and discussion begins at 12:30 pm. Everyone invited.
Following an example set by California in 2003, at least 39 states now require companies or other organizations that accidentally release private data to notify the affected parties (or, in some cases, the public). In most of these laws, there is a “safe harbor” that eliminates or relaxes disclosure requirements if the leaked data was encrypted. CSO magazine, a trade publication for corporate executives who handle security, has published an interactive map of the U.S. with details on each measure.
One clearinghouse has cataloged at least 110 disclosures that have been made since the start of 2008.
Our own Center’s recent research into “cold boot” attacks on encryption keys demonstrated that most encryption systems used on laptops can be decrypted using simple materials and well-documented methods. It’s not clear how many data breaches have gone undisclosed thanks to the encryption safe harbor rules. But in light of this most recent result, there are serious questions about the wisdom of including this technical standard in statutory language. Will legislation be revised? Are there more “futureproof” ways for legislators to express their intent, on this and other technology questions? What might ideal language look like – and what external supports would it need?
The discussion will be led by Alex Halderman, who was the lead author of our recent paper.