Re: [privacy] Nevada Law Mandates Encryption of Electronically-Transmitted Personal Information

["Brian Loe" <knobdy () gmail com>]

On 10/8/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:

> Go ahead and try to get that to actually fly.

Its not difficult, you add a line to the law that says no PHI will be
transmitted via FAX.

My former employer spent roughly 50k on an encrypted e-mail solution,
spending nothing to not use a FAX seems pretty easy.


> And if it was encrypted on the wire, it would *still* have been faxing
> *encrypted* perscription info that then gets printed out in plaintext to a
> bank, and spending a day calling another bank to make them stop faxing
> *encrypted* personal info that then gets printed out in plaintext.

You're a genius. See my first point - disallow FAX transmissions of
sensitive, personal information.

> The problem isn't on the wire, the problem is at the *endpoints*.  Changing
> the on-wire representation doesn't fix the endpoints.

That is the case whether you are dealing with FAX machines or e-mails
or web interfaces. Someone prints the data off and leaves it on the
printer; someone fails to lock their workstation; someone loses or has
their laptop stolen. Once again we're back to the same obvious
argument, we're limiting risk not eliminating it.
_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy