Slashdot Mirror

← Back to Stories (view on slashdot.org)

CA Law Demands Public Disclosure Of Break-Ins

Posted by timothy on from the police-blotter dept.

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

5 of 188 comments (clear)

  1. Re:Yay, verily by Anonymous Coward · · Score: 1, Informative

    Stolen from SecurityFocus: Computer Break-Ins: Your Right to Know

  2. Not all cyber break ins by sdowney · · Score: 3, Informative
    "[The law] mandates public disclosure of computer-security breaches in which confidential information may have been compromised."

    So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.

    I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.

  3. Some crucial missing words... by Otter · · Score: 5, Informative
    Note that this legislation "mandates public disclosure of computer-security breaches in which confidential information may have been compromised". It doesn't mean that any web server that gets owned has to be publically reported.

    Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.

    --
    What I'm listening to now on Pandora...
  4. Re:How about security auditng? by mph · · Score: 2, Informative

    It would be a stretch to claim that confidential materials are compromised when the "break-in" was performed by staff (consultants, whatever) who are authorized to do so.

  5. Misleading by krangomatik · · Score: 4, Informative

    After reading the text of SB1386 (the Bill referenced in this article) I think the Slashdot blurb on this was a bit misleading. California isn't demanding "Public Disclosure Of Break-Ins." This makes it sound like whenever there is a break in it must be disclosed. This isn't really the case. Notifications only have to take place when the following criteria is met: "personal information" means an
    individual's first name or first initial and last name in combination
    with any one or more of the following data elements, when either the
    name or the data elements are not encrypted:
    (1) Social security number.
    (2) Driver's license number or California Identification Card
    number.
    (3) Account number, credit or debit card number, in combination
    with any required security code, access code, or password that would
    permit access to an individual's financial account.
    (f) For purposes of this section, "personal information" does not
    include publicly available information that is lawfully made
    available to the general public from federal, state, or local
    government records.

    As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
    law enforcement agency determines that the notification will impede a
    criminal investigation."     So I'm not sure how big of a "loophole" this is.

    As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
    (g) For purposes of this section, "notice" may be provided by one
    of the following methods:
    (1) Written notice.
    (2) Electronic notice, if the notice provided is consistent with
    the provisions regarding electronic records and signatures set forth
    in Section 7001 of Title 15 of the United States Code.
    (3) Substitute notice, if the agency demonstrates that the cost of
    providing notice would exceed two hundred fifty thousand dollars
    ($250,000), or that the affected class of subject persons to be
    notified exceeds 500,000, or the agency does not have sufficient
    contact information. Substitute notice shall consist of all of the
    following:
    (A) E-mail notice when the agency has an e-mail address for the
    subject persons.
    (B) Conspicuous posting of the notice on the agency's Web site
    page, if the agency maintains one.
    (C) Notification to major statewide media.
    (h) Notwithstanding subdivision (g), an agency that maintains its
    own notification procedures as part of an information security policy
    for the treatment of personal information and is otherwise
    consistent with the timing requirements of this part shall be deemed
    to be in compliance with the notification requirements of this
    section if it notifies subject persons in accordance with its
    policies in the event of a breach of security of the system.
    So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.