Hmm :/
Don't bother telling people if you lose their data, say Euro bods
Businesses should not need to notify consumers that their personal data has been lost or stolen if the data has been encrypted, EU ministers have said. Ministers in the Justice and Home Affairs Committee of the EU's Council of Ministers backed the plans as part of a wider partial agreement reached last week on reforms to EU …
COMMENTS
-
Wednesday 15th October 2014 11:28 GMT Anonymous Coward
Sooo ROT13?
"Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data,"
and
"appropriate technological protection measures"
Who decides what is appropriate? Plus, it is all very well having strong encryption if the keys to that encryption are compromised. Do they need to inform in that instance?
Personally, I can't see the sense in only having to say "IT'S ALL GONE!!!" only when not encrypted because there are too many unknowns. What is the problem with mandatory disclosure?
I smell lobbying.
-
Wednesday 15th October 2014 12:14 GMT Pascal Monett
Agreed on all points.
Oh, and as far as I'm concerned, "appropriate technological protection measures" include encryption AND not handing out the keys to government-level spook agencies.
My data is mine. If a government wants it, it can ask for it.
Nicely.
Or with a warrant, that works too.
-
-
Wednesday 15th October 2014 11:31 GMT Bronek Kozicki
as long as
... encryption is really strong (and key is kept safe), I don't see (much of) a problem.
For all intent and purposes, losing heavily encrypted data is not different from losing any set of useless binary data. If businesses are not required to notify about the latter, then notification about the former would seem (a bit) superfluous to me.
The difficulty is in determining what constitutes strong encryption and safe key. Perhaps I ought to look at this regulation.
-
Friday 17th October 2014 09:52 GMT Graham Cobb
Re: as long as
Sorry, Bronek, I think you are wrong. Whether "heavily encrypted data" is useless depends a lot on what other information the attacker has. In particular, if the attacker knows some of the plaintext then they may be able to break the encryption much more easily.
For example, a password database might be very securely encrypted. But if the attacker knows (or guesses, and can verify) some usernames and passwords that might lead to easier decryption of the whole thing. And inside information could also be very useful even if the keys themselves are not available.
In other words, the problem is not about how well encrypted the data is, it is about the whole circumstances of the breach. Most of that is not known (and certainly should not be evaluated by the company losing the data). The only reasonable behaviour is to notify everyone involved on every loss of personal data, no matter how well the data is encrypted.
-
Wednesday 15th October 2014 11:41 GMT Anonymous Coward
You really wonder how they can propose something like this in times like these. Is lobbying that much stronger than common sense?
If personal data is lost and happens to include credentials, we change them as a matter of precaution. In the future we won't be able to, because we weren't informed. Credit card details... same, we get them replaced.
Why deliberately take a step backwards? There must be shed loads of lobbyists' money involved!
-
Wednesday 15th October 2014 11:54 GMT nsld
The principle is sound
but it relies too heavily on "encryption" without really defining what the acceptable minimums are or what it considers to be "encryption"
After all adding a password to an excel spreadsheet makes it harder to access but its not exactly secure or encrypted. To the average non IT savvy small business owner a password is about as far as they will go with "encryption".
Without a clear definition and some standards its going to fall at the first hurdle.
-
Wednesday 15th October 2014 13:35 GMT heyrick
FOAD, please. Thank you..
A person whole data has been pilfered should be informed. No exceptions. The encryption angle can be used to explain why this isn't a crisis.
I can only imagine companies have lobbied hard for the "it isn't our fault we have shit security" defence.
I notice the actual form of encryption is unspecified. Let's talk about...WEP. How about WPS? Or maybe we should consider unsalted hashes. Or, the best argument last, you'd have thought a big spook organisation like the NSA would keep all their secrets with the best protection money can buy. Look how well that turned out.
-
Wednesday 15th October 2014 22:16 GMT Anonymous Coward
Re: FOAD, please. Thank you..
I found this interesting: 'Only if the processing is "occasional and unlikely to result in a risk for the rights and freedoms of individuals" or is undertaken by a public body would non-EU based organisations avoid this requirement.'
Non-EU based public body organizations? Whose feet do these shoes fit?
-
-
This post has been deleted by its author
-
Wednesday 15th October 2014 18:42 GMT Henry Wertz 1
They do need to specify...
If they are going to do this, they do need to specify *what* cryptosystems are acceptable. There was one rights restriction system here in the US (which has been abandoned) that was using *XOR* to encrypt the data; they figured this would count as "encryption" and they could then use the DMCA like a bludgeon to hassle anyone who says "Hey, that's just XOR" and builds a player for it.
If this isn't clarified, you WILL have a few companies use XOR or ROT13, and claim this means they don't have to report data losses.
-
Thursday 16th October 2014 09:01 GMT Andy The Hat
"We lost the data when the burglars came a'burgling and took the server. But it doesn't matter as I had implemented stong encryption so I don't have to tell anyone. And I'm no muppet, the passwords for the database were securely stored - they're on the post-it stuck to my monitor ... where's my monitor ...?"