With a stroke of the Governor's pen on Monday, Indiana became one of the few states in the country to provide strong incentives for businesses to encrypt sensitive customer data. Unlike many of the laws that pass through state legislatures - this one was not ghost written by lobbyists or special interests. It was co-written by a tech-savvy state legislator, and a blogger constituent .... me.
One of the biggest problems in the hundreds of data breach and data loss incidents that have been reported over the past few years is that so little of the data is encrypted. If a laptop containing sensitive medical information is stolen, the thief merely needs to turn it on to read through a goldmine of personal data.
Some government agencies have taken action following particularly heinous incidents. After the state of Ohio lost backup tapes containing 160,000 social security numbers that were kept in a summer intern's car, the state purchased McAfee disk encryption software for every state employee. Likewise, after the hugely embarrassing data loss incident at the Department of Veterans Affairs in 2006, the Bush Administration issued new standards mandating encryption for all federal agencies.
Laptop password loophole
Indiana passed a data breach reporting law in 2006. However, the law had a number of problems. The biggest of these involved laptop passwords.
Many state data breach laws are written in a way to incentivize businesses into protecting their customer data. It would be exceedingly difficult to pass a law forcing all businesses to encrypt their data, and so states opt for the carrot and the stick.
Businesses are given a choice: If you protect your customers' data, and you lose a laptop containing sensitive information, you won't have to spend the money and suffer the reputation hit by telling the public. That is, as long as you've protected the data sufficiently.
Indiana's law created this incentive by narrowly defining a data breach incident. The giant loophole in the law stated that businesses would not have to report an:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed."
As a computer security researcher, the problems in this sentence immediately jumped out at me. A password doesn't mean encryption, it merely means a password. Windows login passwords would satisfy the law, even if they did nothing to protect the data on the disk. An attacker could start up the device with a recovery CD, or use one of many software tools to break the Windows password -- which will take just a few seconds to do.
Changing the law
In mid 2007, I contacted my State Representative Matt Pierce and asked him to look into fixing the law. He liked the idea, and asked me to compile a list of the problems in the existing rules and suggested fixes.
In January 2008, Representative Pierce submitted a bill to committee that fixed the data encryption flaw, as well as requiring the attorney general of the state to post a copy of every data breach incident impacting 1 or more Indiana residents to an official website.
The bill passed through committee, and then passed unanimously through the Democratically controlled House, 94-0. Unfortunately, once the bill arrived in the state Senate, it had attracted the attention of lobbyists - some of whom flew in from Washington DC specifically to oppose the website reporting provision in the bill. The experience was eye-opening, and gave me a rapid education in the influence of money in politics. Sadly, the lobbyists from AT&T, Microsoft, and Lexis Nexis got their way.
In the end, the Republican controlled Senate stripped out a number of portions of the proposed law. The bill that came out of the Senate, which included the laptop encryption fix, passed unanimously 46-0.
Finally, on Monday the 25th of March, Governor Mitch Daniels signed the bill into law.
As of July 1 2008, Indiana's data breach law law will be amended, such that a companies will not have to report the:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."
I am confident that Indiana's new law will provide an extremely strong incentive to businesses in the state. Either, they can start using encryption to protect customers' data, or when they do lose a laptop, they can pay the financial and reputation costs of having to send out hundreds of thousands of letters to consumers.
No business is being forced to do anything - but the smart ones will most likely start taking additional steps to protect customer data.
All the credit and thanks for this effort should go to Representative Matt Pierce, who fought the good fight, and waged battle against big money lobbyists. While the perfect bill did not pass, the change to the law is positive, and it would not have happened without Pierce's hard work.