http://emergentchaos.com/archives/2008/04/virginia-gets-it.html The Emergent Chaos Jazz Combo Wed, 01 Feb 2012 19:20:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://emergentchaos.com/archives/2008/04/virginia-gets-it.html/comment-page-1#comment-4550 Reader X Mon, 21 Apr 2008 13:00:18 +0000 http://emergentchaos.com/?p=2723#comment-4550 Agreed. Once again the law presumes all encryption is equally strong. There's a partial remediation in that disclose must occur if the key is compromised and the entity determines that there is intent to commit ID theft, but the effectiveness of this clause is entirely dependent on the AG's ability to smell a rat. <i>C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.</i> A better approach is to force the entity to assess the risks in front of the AG and disclose if abuse of the data is reasonably possible (not probable) as does GLBA. Agreed. Once again the law presumes all encryption is equally strong.
There’s a partial remediation in that disclose must occur if the key is compromised and the entity determines that there is intent to commit ID theft, but the effectiveness of this clause is entirely dependent on the AG’s ability to smell a rat.
C. An individual or entity shall disclose the breach of the security of the system if encrypted information is accessed and acquired in an unencrypted form, or if the security breach involves a person with access to the encryption key and the individual or entity reasonably believes that such a breach has caused or will cause identity theft or other fraud to any resident of the Commonwealth.
A better approach is to force the entity to assess the risks in front of the AG and disclose if abuse of the data is reasonably possible (not probable) as does GLBA.

]]> http://emergentchaos.com/archives/2008/04/virginia-gets-it.html/comment-page-1#comment-4549 DF Wed, 16 Apr 2008 12:09:28 +0000 http://emergentchaos.com/?p=2723#comment-4549 Apparently a simple XORing of the data counts as encryption: "...or the securing of the information by another method that renders the data elements unreadable or unusable." Have I understood that correctly? Apparently a simple XORing of the data counts as encryption:
“…or the securing of the information by another method that renders the data elements unreadable or unusable.”
Have I understood that correctly?

]]> http://emergentchaos.com/archives/2008/04/virginia-gets-it.html/comment-page-1#comment-4548 Chris Tue, 15 Apr 2008 10:35:21 +0000 http://emergentchaos.com/?p=2723#comment-4548 Agree. Agree.

]]> http://emergentchaos.com/archives/2008/04/virginia-gets-it.html/comment-page-1#comment-4547 Dissent Tue, 15 Apr 2008 09:52:57 +0000 http://emergentchaos.com/?p=2723#comment-4547 Yeah, I like that part, but they're setting a high standard for triggering notification: " "Breach of the security of the system??? means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth." "Access" is better (in my opinion) than "access and acquisition." I'm still in communications with two states, trying to get them to post their notifications online like NH does. Yeah, I like that part, but they’re setting a high standard for triggering notification:
” “Breach of the security of the system??? means the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth.”
“Access” is better (in my opinion) than “access and acquisition.”
I’m still in communications with two states, trying to get them to post their notifications online like NH does.

]]>