10.17.2008

Mandatory Encryption - a silent tax.

Nevada this month enacted a law mandating
all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.
Cool.

So - where are the keys?

PKIX notwithstanding - single sided authentication works in the web (HTTP) world and presumably would fulfill the requirement of encryption during transmission. We have it today - no cost involved.

But email encryption implies S/MIME or proprietary schemes, and a set of technology available to users and businesses alike. It means that those communicating with businesses are not only "registered" with that business, but have the appropriate software and security artifacts (keys, certs, what have you). Average per user cost? $50 a computer according to estimates.

The Wall Street Journal goes on to report
The new state data-security laws are stricter than past regulations, which only required businesses to notify people whose personal information they lost. The new laws establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent, said Miriam Wugmeister, an attorney with Morrison & Foerster LLP.
So - how well would have the new legislation protected the 47 million customers of the TJ Maxx conglomerate?

A better solution might be to require companies that transact business with retail customers to delete credit card information once a transaction is completed and approved by the credit card company. Leave essential CC authentication data in the hands of the authenticator (user).

This doesn't solve the other use cases, medical records or portions thereof, or business to business communications. But the later is of significantly reduced scope to the consumer case.

Healthcare organizations will be driven to more web based interactions with their patients, forgoing the quick Dr's note which the patient requested. Rather they will simply send a link saying "Sign in to discover what we can't tell you here."

Mandating "encryption" is like mandating the color of your car - it may look nice - but its probably not exactly what you wanted, especially when you have to pay for it.

No comments: