A few weeks ago, I brought you news that Indiana's Governor had signed into law HB 1197, a data breach and encryption bill that I worked on.
What I have not revealed, up until now is the coercion and arm-twisting that accompanied the passage of this bill. While the details may not surprise jaded readers, it certainly gave me a reason to dislike the entire process, as well one particular power-tripping legislator. Now that the bill, albeit a significantly slimmer version, has become law, I'm free to tell the story.
As regular readers of this blog know, I spent a significant amount of time this spring working on an update to Indiana's data breach laws. Along with my local State Representative, I co-wrote a bill that would fix loopholes in the existing rules, as well as designate the State Attorney General as a central reporting body, which would then post a copy of each report to its website.
The bill passed through House Committee without any problems, and was then passed unanimously by the State House of Representatives. Once the bill came up before the relevant Senate Committee, it drew the attention of lobbyists representing AT&T, Microsoft and Lexis Nexis, who flew in from Washington to try and kill the bill.
Eventually, the lobbyists got their way, and the bill was stripped of some of the most pro-consumer provisions. Shortly after this happened, I wrote a blog post on the subject, explaining what had happened, who had voted for the amendment, and which firms lobbied against the bill.
Coercion
After the bill passed through committee, the next step was for it to receive a second reading on the Senate floor. This was scheduled to happen on February 18th. At the end of that day, I went online, and saw that every single bill scheduled to receive its second reading that day had been read, except my bill. Curious as to what had happened, I made a few calls.
And this is where it gets interesting. A well placed source told me that a powerful Republican Senator had taken offense to something I had written on my blog the week before, in which I mentioned that each member of the Senate Committee voting to shred the bill had previously received campaign donations from AT&T. My source relayed a threat from the Senator: Either I had to remove the offending paragraph from my blog, or he would hold up the bill, and it would die in the Senate.
The offending text from the blog post:
AT&T donated over $170,000 to Indiana state legislators in the 2006 election cycle while Verizon donated $48,000. Furthermore, while I'm sure that all 11 of the senators on the committee are all upstanding and honest legislators, I think it's worth mentioning that only one senator (Arnold) has not received thousands of dollars from AT&T in the past. The rest have all taken Ma Bell's money: Steele (R), Bray (R), Drozda (R), Zakas (R), Waltz (R), Waterman (R), Howard (D) Young (D), Tallian (D), Lanane (D).
I'm sure this in no way influenced their votes on Tuesday, but it sure does give you food for thought.
This put me in a very difficult position. I had worked very hard on this bill, and this was my chance to close what I believed was a serious loophole in Indiana's existing breach laws. If I didn't cave to the Senator's demands, my bill would die, and with it, the chances of getting the law changed.
On the flip side, I hate the idea of censorship. I don't like being told what to write, or being told that I have to take something down. I think this is a feeling that I share with most of the Internet community -- be it cease and desist letters, or lawsuit threats, such attempts at stifling free speech are universally denounced (and usually evaded).
In addition to my own feelings, censorship is something that is not tolerated at CNET. Any edits I make to my own posts after publication must be struck out. Thus, removing an entire paragraph, let alone doing it silently without saying why, totally violated CNET policies, as well as basic journalistic standards.
To make matters worse, my source would only deliver the Senator's threat on the condition that it remain off the record. In later conversations, once I explained the trouble I'd get into with CNET over the silent deletion, he agreed to let me write about what had happened, as long as his name, and the Senator's name, were not revealed.
In the end, I decided to take down the text temporarily. I planned to post the offending text back online as soon as the Governor signed the bill into law. It was not a decision I was completely comfortable with, but I decided that passage of the bill was more important.
In hindsight, I'm not so sure that this was the right move. At the very least, I acknowledge that I let down both CNET, and the trust of my readers. This is something that I sincerely regret.
The day after I removed the paragraph, the bill had its second reading, and then a few days later, was passed unanimously by the State Senate. While he was unethical, the Senator did at least keep his word.
After the dust settled, I received some great advice from one of my mentors:
As a general rule it's difficult to wear two hats simultaneously in the legislative process. Fine to be a good citizen and propose necessary legislation. Fine also to be a whistleblower and call attention to legislative abuse. But very difficult to do both at the same time.
I'm not sure which hat I'll end up wearing for good. The entire process has left me with a fairly unpleasant taste in my mouth, made significantly worse by the fact that I still cannot name the Senator who abused his power.
With a stroke of the Governor's pen on Monday, Indiana became one of the few states in the country to provide strong incentives for businesses to encrypt sensitive customer data. Unlike many of the laws that pass through state legislatures - this one was not ghost written by lobbyists or special interests. It was co-written by a tech-savvy state legislator, and a blogger constituent .... me.
One of the biggest problems in the hundreds of data breach and data loss incidents that have been reported over the past few years is that so little of the data is encrypted. If a laptop containing sensitive medical information is stolen, the thief merely needs to turn it on to read through a goldmine of personal data.
Some government agencies have taken action following particularly heinous incidents. After the state of Ohio lost backup tapes containing 160,000 social security numbers that were kept in a summer intern's car, the state purchased McAfee disk encryption software for every state employee. Likewise, after the hugely embarrassing data loss incident at the Department of Veterans Affairs in 2006, the Bush Administration issued new standards mandating encryption for all federal agencies.
Laptop password loophole
Indiana passed a data breach reporting law in 2006. However, the law had a number of problems. The biggest of these involved laptop passwords.
Many state data breach laws are written in a way to incentivize businesses into protecting their customer data. It would be exceedingly difficult to pass a law forcing all businesses to encrypt their data, and so states opt for the carrot and the stick.
Businesses are given a choice: If you protect your customers' data, and you lose a laptop containing sensitive information, you won't have to spend the money and suffer the reputation hit by telling the public. That is, as long as you've protected the data sufficiently.
Indiana's law created this incentive by narrowly defining a data breach incident. The giant loophole in the law stated that businesses would not have to report an:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if access to the device is protected by a password that has not been disclosed."
As a computer security researcher, the problems in this sentence immediately jumped out at me. A password doesn't mean encryption, it merely means a password. Windows login passwords would satisfy the law, even if they did nothing to protect the data on the disk. An attacker could start up the device with a recovery CD, or use one of many software tools to break the Windows password -- which will take just a few seconds to do.
Changing the law
In mid 2007, I contacted my State Representative Matt Pierce and asked him to look into fixing the law. He liked the idea, and asked me to compile a list of the problems in the existing rules and suggested fixes.
In January 2008, Representative Pierce submitted a bill to committee that fixed the data encryption flaw, as well as requiring the attorney general of the state to post a copy of every data breach incident impacting 1 or more Indiana residents to an official website.
The bill passed through committee, and then passed unanimously through the Democratically controlled House, 94-0. Unfortunately, once the bill arrived in the state Senate, it had attracted the attention of lobbyists - some of whom flew in from Washington DC specifically to oppose the website reporting provision in the bill. The experience was eye-opening, and gave me a rapid education in the influence of money in politics. Sadly, the lobbyists from AT&T, Microsoft, and Lexis Nexis got their way.
In the end, the Republican controlled Senate stripped out a number of portions of the proposed law. The bill that came out of the Senate, which included the laptop encryption fix, passed unanimously 46-0.
Finally, on Monday the 25th of March, Governor Mitch Daniels signed the bill into law.
As of July 1 2008, Indiana's data breach law law will be amended, such that a companies will not have to report the:
"Unauthorized acquisition of a portable electronic device on which personal information is stored, if all personal information on the device is protected by encryption and the encryption key:
(A) has not been compromised or disclosed; and
(B) is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device."
I am confident that Indiana's new law will provide an extremely strong incentive to businesses in the state. Either, they can start using encryption to protect customers' data, or when they do lose a laptop, they can pay the financial and reputation costs of having to send out hundreds of thousands of letters to consumers.
No business is being forced to do anything - but the smart ones will most likely start taking additional steps to protect customer data.
All the credit and thanks for this effort should go to Representative Matt Pierce, who fought the good fight, and waged battle against big money lobbyists. While the perfect bill did not pass, the change to the law is positive, and it would not have happened without Pierce's hard work.
- prev
- 1
- next
