back to article Don't bother telling people if you lose their data, say Euro bods

Businesses should not need to notify consumers that their personal data has been lost or stolen if the data has been encrypted, EU ministers have said. Ministers in the Justice and Home Affairs Committee of the EU's Council of Ministers backed the plans as part of a wider partial agreement reached last week on reforms to EU …

  1. Ralara
  2. Anonymous Coward
    Anonymous Coward

    Sooo ROT13?

    "Such technological protection measures should include those that render the data unintelligible to any person who is not authorised to access it, in particular by encrypting the personal data,"

    and

    "appropriate technological protection measures"

    Who decides what is appropriate? Plus, it is all very well having strong encryption if the keys to that encryption are compromised. Do they need to inform in that instance?

    Personally, I can't see the sense in only having to say "IT'S ALL GONE!!!" only when not encrypted because there are too many unknowns. What is the problem with mandatory disclosure?

    I smell lobbying.

    1. Pascal Monett Silver badge

      Agreed on all points.

      Oh, and as far as I'm concerned, "appropriate technological protection measures" include encryption AND not handing out the keys to government-level spook agencies.

      My data is mine. If a government wants it, it can ask for it.

      Nicely.

      Or with a warrant, that works too.

      1. Jamie Kitson

        > My data is mine. If a government wants it, it can ask ME for it.

        There, fixed that for you.

  3. Bronek Kozicki

    as long as

    ... encryption is really strong (and key is kept safe), I don't see (much of) a problem.

    For all intent and purposes, losing heavily encrypted data is not different from losing any set of useless binary data. If businesses are not required to notify about the latter, then notification about the former would seem (a bit) superfluous to me.

    The difficulty is in determining what constitutes strong encryption and safe key. Perhaps I ought to look at this regulation.

    1. Version 1.0 Silver badge

      Re: as long as

      ROT-13 is strong .... most lusers never figure it out.

      1. tirk
        Coat

        ROT-13 is strong ...

        Especially if applied twice.

    2. Anonymous Coward
      Anonymous Coward

      Re: as long as

      If they were able to get in and read the data, who says they weren't able to read the decryption key too?

      Or even if the key is stored in some hardware device, you can still send messages to that device to ask it to decrypt the data for you. Who says they didn't do that?

    3. Trigonoceps occipitalis

      Re: as long as

      ... encryption is really strong (and key is kept safe), I don't see (much of) a problem.

      Until I can pop down to PC World and buy a quantum computer.

    4. Graham Cobb Silver badge

      Re: as long as

      Sorry, Bronek, I think you are wrong. Whether "heavily encrypted data" is useless depends a lot on what other information the attacker has. In particular, if the attacker knows some of the plaintext then they may be able to break the encryption much more easily.

      For example, a password database might be very securely encrypted. But if the attacker knows (or guesses, and can verify) some usernames and passwords that might lead to easier decryption of the whole thing. And inside information could also be very useful even if the keys themselves are not available.

      In other words, the problem is not about how well encrypted the data is, it is about the whole circumstances of the breach. Most of that is not known (and certainly should not be evaluated by the company losing the data). The only reasonable behaviour is to notify everyone involved on every loss of personal data, no matter how well the data is encrypted.

  4. Terry 6 Silver badge

    Encryption

    I think personally it'd be OK if the penalties for failing to encrypt data were stringent enough. And enough means that the people responsible would be prosecuted just like they would be for any breach of building or fire regs.

  5. Anonymous Coward
    Anonymous Coward

    You really wonder how they can propose something like this in times like these. Is lobbying that much stronger than common sense?

    If personal data is lost and happens to include credentials, we change them as a matter of precaution. In the future we won't be able to, because we weren't informed. Credit card details... same, we get them replaced.

    Why deliberately take a step backwards? There must be shed loads of lobbyists' money involved!

  6. Anonymous Coward
    WTF?

    This looks abiguous at best...

    ...unless I misread it: Have they 72 hours from the point of breach *discovery* or the actual time and date of the breach? Makes a crapload of difference, that.

  7. nsld

    The principle is sound

    but it relies too heavily on "encryption" without really defining what the acceptable minimums are or what it considers to be "encryption"

    After all adding a password to an excel spreadsheet makes it harder to access but its not exactly secure or encrypted. To the average non IT savvy small business owner a password is about as far as they will go with "encryption".

    Without a clear definition and some standards its going to fall at the first hurdle.

  8. g00se
    FAIL

    Yeah right

    And the same people who are stupid enough to lose it really can be trusted to encrypt it properly, can't they?

  9. heyrick Silver badge

    FOAD, please. Thank you..

    A person whole data has been pilfered should be informed. No exceptions. The encryption angle can be used to explain why this isn't a crisis.

    I can only imagine companies have lobbied hard for the "it isn't our fault we have shit security" defence.

    I notice the actual form of encryption is unspecified. Let's talk about...WEP. How about WPS? Or maybe we should consider unsalted hashes. Or, the best argument last, you'd have thought a big spook organisation like the NSA would keep all their secrets with the best protection money can buy. Look how well that turned out.

    1. Anonymous Coward
      WTF?

      Re: FOAD, please. Thank you..

      I found this interesting: 'Only if the processing is "occasional and unlikely to result in a risk for the rights and freedoms of individuals" or is undertaken by a public body would non-EU based organisations avoid this requirement.'

      Non-EU based public body organizations? Whose feet do these shoes fit?

  10. Anonymous Coward
    Anonymous Coward

    from Snowden

    'assume your adversary can compute one trillion reverse hashes per second'

    then this page at GRC calculates (linear) strength (ignoring *doors) up to 100 trillion/sec

    https://www.grc.com/haystack.htm

    ho hum

  11. This post has been deleted by its author

    1. Mark 85

      Re: FAIL

      THEN maybe we might start to get some good thinking on the matter.

      Really? I think you forgot who we're dealing with here.

  12. Henry Wertz 1 Gold badge

    They do need to specify...

    If they are going to do this, they do need to specify *what* cryptosystems are acceptable. There was one rights restriction system here in the US (which has been abandoned) that was using *XOR* to encrypt the data; they figured this would count as "encryption" and they could then use the DMCA like a bludgeon to hassle anyone who says "Hey, that's just XOR" and builds a player for it.

    If this isn't clarified, you WILL have a few companies use XOR or ROT13, and claim this means they don't have to report data losses.

  13. DerekCurrie
    Thumb Down

    Today's Adjective List:

    Lazy

    Technologically illiterate

    Stupid

    Abusive

    Owned by the Corporate Oligarchy

    Hating the citizens

    Moronic

  14. Andy The Hat Silver badge

    "We lost the data when the burglars came a'burgling and took the server. But it doesn't matter as I had implemented stong encryption so I don't have to tell anyone. And I'm no muppet, the passwords for the database were securely stored - they're on the post-it stuck to my monitor ... where's my monitor ...?"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like