Forty-eight of the 55 US states and territories have some form of data breach law on the books. Most of them require companies to simply notify their customers if their data has been stolen and possibly sold to an online criminal gang in Eastern Europe.

The problem with that approach to regulating security is that it’s reactionary. By the time you get the letter in the mail, it’s already too late.

But that’s all changing now. New data encryption laws, and not just breach notification laws, are now making their way through state legislatures.


Data encryption laws, such as the ones in Nevada and Massachusetts, are designed to make it more difficult for the thugs roaming the wild, wild Web to steal your personally identifiable information (PII).

Personally identifiable information has many definitions, but basically, it’s a combination of a person’s first and last name, along with his or her social security number, credit or debit card numbers, user name, password, fingerprints, iris scans, address or telephone number.

The Massachusetts law is the de facto national standard, because it protects the personal information of all Massachusetts residents regardless of which state the data is stored and stolen in.

At the federal level, US Senator Patrick Leahy, D-Vt., has been trying to pass a federal data encryption law since 2005.

In November, Leahy’s bill, with bipartisan support, advanced out of the Senate Judiciary Committee.

The Personal Data Privacy and Security Act will establish a much-needed national standard for breach notification, and clear requirements for securing Americans’ sensitive personal data,” said Leahy.

If Leahy’s bill passes in its current form, it would override state laws and become the new national standard.

But now it’s up to Senate Majority Leader Harry Reid to schedule the bill for Senate floor time. Erin Skinner Cochran, Reid’s Deputy Director of New Media, said the Senator has not made a decision if or when Leahy’s would make the schedule.

Get beyond mere compliance

Security experts warn against chasing the requirements of any particular law or regulation.

Lumension’s Directory of Marketing Chris Merritt said that legislatively “there’s an awful lot happening,” but he cautioned IT departments against embracing a checklist mentality towards security.

For example, in a much-publicized wireless network data breach, TJX Companies, Inc. succumbed to hackers who were stealing data off the retailer’s network for at least 18 months, and possibly for years. The company, Merritt said, had a checklist mentality towards security.

“You’ve got to move beyond mere compliance,” Merritt said. It’s wise to watch what’s happening with legislation, but he said companies and organizations should plan on creating a good “holistic security plan.”

Massachusetts agrees. Its regulations that went into effect on March 1, 2010 mandates employee training, regular security audits and a Written Information Security Plan.

That means if data is lost or stolen, and your organization can’t provide proof of regulatory compliance, Massachusetts attorney general Martha Coakley might come knocking on your door with criminal charges and some hefty fines.

“The regulations do not provide a safe harbor from enforcement per se,” Massachusetts attorney general spokesperson Amie Breton said. To be in compliance, she explained that the organization will have to properly and accurately notify consumers of the breach and the company has to have effectively assessed its data risks.

Defining encryption

The Commonwealth of Massachusetts defines encryption as “the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.”

To learn more about what it means to comply with these new data encryption laws, you might want to check out the National Institute of Standards and Technology’s “Federal Information Processing Standards” publications. The FIPS is a collection of documents outlining the standards for non-military governmental agencies, contractors and vendors who work with the agencies for storing and encrypting data.

But FIPS is heavy reading, and difficult to relate to real world threats.

Wyatt Kash is the editor-in-chief for Government Computer News. He said, “The problem for organizations trying to follow NIST’s guidelines amid today’s increasing cyber-threats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care.”

An alternative to FIPS are the Consensus Audit Guidelines. This document establishes a baseline of 20 security measures and controls that all organizations should implement immediately.

The CAG is a subset of NIST guidelines compiled by a group of security experts from federal agencies, such as the National Security Agency, the Department of Defense and led by John Gilligan, former Air Force CIO.

The group’s recommendations focus almost exclusively on technology solutions, and therefore are not a substitute for the much more comprehensive NIST guidelines. The CAG is a starting point for organizations that are reviewing or implementing a new security plan.

“The new recommendations,” Kash said, “provide a much-needed priority list of essential security strategies and step-by-step measures that reflect lessons learned from some of the country’s most serious cyberattacks.”

But whether you adhere to FIPS, or start with CAG, the bottom line for every organization is to secure your network, secure your data and train your employees as part of a broad security plan.

“If you focus on true security, as opposed to checkmark compliance,” Merritt said, you should have no difficulty complying with any state or federal laws.

Keith Vance is a software engineer and a journalist. He's been developing Web applications professionally since 1997, and he received his journalism degree from the University of Washington in 2008.