Will CA Law Spur Storage Crypto?

While the practice of encrypting sensitive data across the Internet has long been established, there is far less consensus on the value of encrypting data "at rest" in a SAN. Now, a new law in California could provide a decisive answer to that question.

The California state law, which is set to go into effect July 1, 2003, is intended to combat the alarming growth of identity theft. State legislators passed the law following an incident in April 2002 in which hackers gained access to the California state comptrollers payroll database. After getting past the perimeter security, the hackers easily rummaged through 265,000 employee records, including information such as bank accounts and Social Security numbers. The security breach wasn’t discovered for more than a month, and it took another few weeks before the affected employees were notified.

The California SB 1386 legislation requires all state agencies -- as well as all businesses that collect personal information from California customers -- to either promptly disclose security breaches or face severe penalties.

So what does all this have to do with storage? According to the law, encrypted data does not qualify as personal information. That little provision in the law already has vendors of storage security devices and software giddy at the prospect of a booming market for their products.

According to Hari Venkatacharya, the senior VP of strategic business development at storage security vendor Kasten Chase Applied Research Ltd., the new law is already prompting a number of companies to consider encrypting their storage. The law, he says, "is scary for any company. But if you’re encrypted, you don’t have to abide."The law, along with a number of other storage security regulations coming down the pipeline, is forcing companies to recognize the importance of securing not only data in transit, but also data at rest, agrees Serge Plotkin, the CTO of storage security startup Decru Inc.

"History repeats itself," he says. "Five to ten years ago, everyone was attaching happily to the Internet without firewalls... Now it’s considered irresponsible not to use a firewall even in very small businesses... I believe the same thing will happen in storage."

Encryption is certainly one of the best ways for companies and institutions to avoid potential lawsuits in the wake of the law's implementation, says Scott W. Pink, the deputy chairman of the American Bar Association’s Cyber-Security Taskforce and an attorney with the Gary Cary law firm based in Sacramento, Calif. "The more security the industry puts in place, the less litigation there’s likely to be," says Pink.

Of course, the problem doesn’t exist only in California. On nearly a weekly basis, news leaks out of another major data-theft case. This past February, for instance, hackers accessed eight million American Express, MasterCard, and Visa credit-card numbers through a third-party processor; and last month, the University of Texas had to notify 55,000 students and employees that their Social Security numbers and email addresses had been hacked.

U.S. Senator Dianne Feinstein is currently in the process of evaluating whether or not the law should be elevated to the federal level. A spokesman for the senator refused to comment on the matter, saying it’s still under consideration.Nevertheless, vendors are already anticipating a windfall. "We think this is a huge opportunity," says Scott Gordon, VP of marketing at NeoScale Systems. "Especially if other states start looking at this... We've already gotten sales-lead opportunities based on this."

But while storage security vendors may be happy with the new regulations, some observers say their enthusiasm is premature.

"School is still out on whether or not encryption is going to be more predominant in databases," says Doug Johnson, a senior analyst with the American Bankers Association, who adds that encryption can lead to a serious degradation of service. "I don’t think encryption is going to be the initial inclination... Institutions are more likely to protect the entry to the data, rather than encrypt the data on the server."

If companies do decide that encrypting data is the best step to take to protect themselves from lawsuits, they will have a long line of products to choose from. Over the past month, several companies have launched new encryption products for storage networks:

So what encryption solution will companies choose? Observers note that the California law does not specify what level of encryption is required. And it's still too early to say which vendors are the most likely to benefit, according to Enterprise Storage Group Inc. senior analyst Nancy Marrone, who points out that the market is far from mature."There are a lot of different approaches," she says. "It’s way too early to say which one is going to win."

The text of the California privacy law, SB 1386, is available here: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html.

— Eugénie Larson, Reporter, Byte and Switch