Slashdot Mirror

← Back to Stories (view on slashdot.org)

CA Law Demands Public Disclosure Of Break-Ins

Posted by timothy on from the police-blotter dept.

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

16 of 188 comments (clear)

  1. Sounds good to me... by dfn5 · · Score: 3, Funny
    Small businesses that don't have the resources to maintain an investigation will have their reputations ruined.

    Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.

    --
    -- Thou hast strayed far from the path of the Avatar.
    1. Re:Sounds good to me... by Havokmon · · Score: 3, Funny
      Small businesses that don't have the resources to maintain an investigation will have their reputations ruined.
      Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.

      Day 1: Begain Searching "Google" for perpetrators (Known hangout for 'haXors').

      Day 5: Still Searching Google. Found many people distributing doctored pics of Natalie Portman, but no perps.

      Day 12: No information found at Google. Now searching internationally, trying AltaVista (personal note, penis +1/4").

      Day 17: Perps deface Nasa site. Personal note:
      1. add more fake entries until Feds nab Nasa perps
      2. Blame break-in on Nasa perps
      3. Profit!

      --
      "I can't give you a brain, so I'll give you a diploma" - The Great Oz (blatently stolen sig)
  2. Re:Loophole by Angry+White+Guy · · Score: 3, Funny

    Naw, Chief Wiggum.
    "I'd rather let a thousand criminals go than chase aftert them..."

    --
    You think that I'm crazy, you should see this guy!
  3. Misread by verloren · · Score: 4, Funny

    Computer Associates is writing laws now? And I thought Microsoft had influence with the gov..

    oh, right, California...

  4. Re:But how do you enforce this? by bovilexics · · Score: 5, Funny

    From the article...

    • Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions.

    They (the CA government) don't need to audit or enforce anything. It is self-enforcing for those businesses that feel they may be sued and have to pay monetary payments for NOT reporting the incident. If a given company doesn't feel it can be successfully sued due to the incident then there probably wouldn't be a public reporting of it.

    It's just a CYA that would have to be handled on a case by case basis for each company and wouldn't be enforced by auditors and the like.

    --
    Are you bovilexic? Moo!
  5. Re:The bigger picture by Kamel+Jockey · · Score: 5, Funny

    that won't help me if Bob Hacker over here can make it look like I never invested in the first place

    For some of us, this could be a very good thing!

    --
    In case of fire, do not use elevator. Use water!
  6. I can see it now... by Waab · · Score: 3, Funny

    Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.

    According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.

    In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"

  7. New business opportunity by kawika · · Score: 4, Funny

    >> The only loophole is if there is an ongoing investigation

    I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.

  8. Re:Yay, verily by BlueUnderwear · · Score: 3, Funny
    Most businesses that get hacked surely do the right thing and inform customers.

    Heck, even some spammers do it. Look at this choice piece from buystainlessonline, it's hilarous:

    From sales@buystainlessonline.com Tue Oct 22 15:46:16 2002
    Return-Path: <sales@buystainlessonline.com>
    Received: from xxxxxx.xxxxxxxx.xx (xxxxxx.xxxxxxxx.xx [xxx.xxx.xx.xxx])
    by xxxxxx.xxx.xx (8.12.3/8.12.3/SuSE Linux 0.6) with ESMTP id g9MDkJVR020365
    for <xxxxxx@xxxxxxxxxx.xxx.xx>; Tue, 22 Oct 2002 15:46:24 +0200
    Received: from linuxpow.com (IDENT:qmailr@linuxpow.com [12.149.2.10])
    by xxxxxx.xxxxxxxx.xx (8.11.6/8.11.6) with SMTP id g9MDkFQ16222
    for <xxxxx@xxxxx.xx>; Tue, 22 Oct 2002 15:46:16 +0200
    Date: Tue, 22 Oct 2002 15:46:16 +0200
    Message-Id: <200210221346.g9MDkFQ16222@xxxxxx.xxxxxxxx.xx&g t;
    Received: (qmail 13748 invoked from network); 22 Oct 2002 12:08:48 -0000
    Received: from buystainlessonline.com (HELO ) (nobody@12.149.2.55)
    by mail.buystainlessonline.com with SMTP; 22 Oct 2002 12:08:48 -0000
    Subject: HACKERS ATTACKED...E-MAILS TO RESUME... PLEASE READ
    To: xxxxx@xxxxx.xx
    From: "BuyStainlessOnline.com" <sales@buystainlessonline.com>
    Content-Type:
    X-UID: 468

    ATTENTION! This email will be sent twice before we resume our weekly newsletter.

    Over the course of the last year, our E-mail system was attacked by HACKERS twice, resulting in the corruption of our marketing system. If you are on this E-mail list and did not request to be, please be ADVISED that this is your opportunity to be REMOVED. We have been going through our E-mail database for the last 3 months to fix errors, this has stopped us from sending our regular e-mail THE STAINLESS STEEL NETWORK. We have done our best to "CLEAN" our list. If you are getting this and wish to be removed, this is your chance. Effective 10/28/02, we will resume sending this email weekly. If you wish to be removed, click the LINK below. If you use AOL, you must COPY and PASTE the link into the browser (http://). This will remove you immediately.


    Thank you for your time!
    Mgmt

    www.BuyStainlessOnline.com
    Your Place for Stainless Today.


    International 215.604.5922
    Fax 215.638.4960

    Click Here to REGISTER!
    https://www.buystainlessonline.com/registration/re gistration.php

    Unsubscribe By clicking below:
    http://www.buystainlessonline.com/email/mail.php?a ction=delete&eval=125410&email=xxxxx@xxxxx.xx

    Seems like some net vigilante typed 'or 1=1-- or something of that ilk into the spammer's remove link, or whatever...

    --
    Say no to software patents.
  9. Re:Yay, verily by _anomaly_ · · Score: 2, Funny
    Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.

    Computer security breaches are hardly similar to other issues of public safety. Announcing that a breach has occurred when there is no viable solution to keep it from happening again (either to the same company or other companies using the same software) would put the public's safety at an even greater risk.
    If it involves any of my personal data, then I would rather them keep their mouths shut for damage control until there is a solution to the original problem.
    It is sort of a catch-22 though. Other companies using the same software would be unaware of the vulnerability until a solution to the problem is found by that one company (which could potentially be slower than if many companies were looking for a fix). Maybe what we need is a *trusted* network (not in the ether sense of the word) where vulnerabilities could be posted without getting the word out to the people that would use this information maliciously.

    --
    "I have no special gift, I am only passionately curious." - Albert Einstein
  10. Lawmaker Cluelessness and Double-Standard by limekiller4 · · Score: 4, Funny

    On one hand you have lawmakers calling hackers 'thugs' and 'criminals' because -- and this is generally after months of reporting the problem to, say, Microsoft -- they notify the public that there is a security hole.

    NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?

    Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.

    --
    My .02,
    Limekiller
  11. Trolling for Karma by nege · · Score: 3, Funny

    Microsoft.

    0 break-ins reported, 7,435 break-ins currently being investigated.

  12. Sure, scare the bejezus out of the llama cash cows by Killall+-9+Bash · · Score: 3, Funny

    I'm Mr. Average Invester.
    I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.

    Do I:
    a. invest more money in my company, showing appreciation for the companies candor.
    b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
    c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
    d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
    e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.


    and.... pencils down.

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  13. Interactions with Berman cyber-vigilante billl? by extremecenter · · Score: 4, Funny

    So if Ca. Congresscritter Berman's cyber vigilante bill passes, there will be a surefire method of dealing with pesky business competitors: attack their systems on the pretext that they might have some of your copyrighted data. If they report the breakin, they'll get bad publicity. If they don't report it, have your lawyers point out that fact to the appropriate authorites and they get busted for not reporting the breakin, also generating bad publicity for them. On the upside, this looks like a full-employment bill for security types.

  14. The consequence is simple... by Kindaian · · Score: 2, Funny

    Big corporations will have an internal investigation department and thrus never reveal nothing...

    Small corporations will simply classify the event as "computer malfunction" and reinstall all the software and document the event as such...

    In the end, California will be the only place in the world where there isn't any break in at all... at least reported publicly...

    Cheers...

  15. Re:Sure, scare the bejezus out of the llama cash c by hawkfan · · Score: 2, Funny

    1. Buy Microsoft products
    2. Exploit MS security holes
    3. Short MSFT
    4. Disclose information about the break-in
    5. Profit!