CSO

Agree with the fine, but it should increase dramatically for repeat offenders (taking into account the company needing a bit of time to implement the security provisions)

Regarding the "Safe harbor" for encrypted data:
Encryption techniques age badly. DES was good at one time, now it's...well...not so much. The same will happen with other encryption protocols. Safe harbor should only be granted for well-known encryption techniques with no known weaknesses. That way a company can't use DES and then claim 'safe harbor'. The company must also be aware of when the encryption protocols they use are no longer deemed to be secure.
Also, an encrypted file could be stored until such time as attacks become available on the encryption. Sounds unlikely, doesn't it? Encryption doesn't guarantee that someone will *never* be able to read the data; it just means that it's going to take a long long time to read it. A few years ago, the Secure Hash Algorithm (SHA-1), which had been considered robust, was suddenly shown to be vulnerable. What if the same sort of thing happened to AES or another cipher?

So, this boils down to

• Clear list of acceptable encryption protocols
• A protocol may be withdrawn from the acceptable list, and companies using that protocol must switch to another acceptable protocol within a reasonable timeframe
• Safe harbor means immunity from the fines and penalties, not from the duty of notification. The users have to be able to watch and/or change their personal data if even an encrypted file is lost.