CA Law Demands Public Disclosure Of Break-Ins

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

Yay, verily

I think the California law is long overdue. In far too many instances, companies and governments have kept mum after they were hacked, seeking to preserve their reputations and avoid public outcry while their customers face risk of identity theft. Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.

Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.

Re:Yay, verily

[First_In_Hell]

Is it that hurtful to their reputations? What is the shame at getting hacked? It has happened to the biggest of them (ebay, CNN). I think more damage would be done if the consumers found out that they were withholding the information from them.

That is more damaging to their reputation than any hack attack.

Re:Yay, verily

Most businesses that get hacked surely do the right thing and inform customers.

It's important to note that "right thing" here means after the fact. I currently have no way to research a company to see how often its database was hacked before I gave them my credit card number.

In some cases when credit card data was taken, the credit card companies proved reluctant to cancel the credit cards and reissue new ones, even when the victim company did the right thing to inform the credit card companies.

It's not that I disagree with your post, it's just that different companies have different definitions of "right thing". Coding it into law
solves this problem.

Re:Yay, verily

[V.P.]

No. If they can't protect my data, they have no business storing them in the first place. If they do, it's their responsibility to keep them safe, and, at the very least, let me know when they're compromised.

Not to mention the healthy effect of getting companies to actually pay some attention to security, or face at least some bad publicity if they don't.

There will be no more break-ins

Companies will stop paying any attention to security logs, or will at least make sure that nobody ever speaks of anything as a "break in" or a "security problem".... There will only be "network configuration issues".

The bigger picture

[unicron]

What does this law have to do with sticking up for the little guy? If a company that I have a stake in, ESPECIALLY if that stake is a good amount of money, I want to know if they're getting owned. If my investments aren't safe, I have a right to know. Granted, most financial institutions are federally insured, but that won't help me if Bob Hacker over here can make it look like I never invested in the first place. The matter is A LOT more of problem if I'm highly wealthy, in which case I'm SOL on any amount higher than 100k.

All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.

How is this not good.

[glrotate]

Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.

Oh thats really useful

[jcrb]

So you only have to disclose the break in if you don't have the ablity to investigate it and find out how to stop it from happening again?

So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.

Why is it that when people go into politics they suddenly become stupid?

Re:But how do you enforce this?

[Raul654]

Because the truth has an unforunate tendancy to come out, eventually, Today's most tightly guarded secrets are the stuff tomorrow's headlines are made of.

It's about time

[EggplantMan]

I'm sorry but I do not side with the submitter on this one. Any sort of forced disclosure in this arena is a step forward. If I am going to be trusting my personal info with a business I would like to know their security record. Just consider the recent scandals with Bell, and AOL for instance.

It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.

In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.

Re:It's about time

[gnovos]

Look at it this way...

1) You know publicity about your break-ins will cost you reputation.

2) You know that there really isn't any way to 100% secure your site from every niggling little security hole, no matter how much money you spend.

What's stopping you from dumping your ENTIRE network security department and never actually going out and looking for breakins ever.

If you never SEE a break-in, you can't be obliged to report it, right?

On the contrary, this is a Good Thing(tm)

[b.foster]

This bill is exactly what we need, and it should be adopted by all 50 states. Why? Accountability. Let's look at the facts before we jump to conclusions:

• 99.4% of all breakins are caused by known, unpatched vulnerabilities. Businesses that cannot take simple steps to keep their systems up to date should be shunned by privacy-conscious consumers. After all, when you hire a business, you are trusting them and their network to keep your data safe and operate reliably.
• This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.
• This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).
• Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
• Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

Re:On the contrary, this is a Good Thing(tm)

It was reasonable till the 'this will hurt Microsoft' part. Who gives a fuck? Does causing Microsoft damage have to be a litmus test for every Good Thing these days?

Microsoft is not Satan. Bill Gates is not the Anti-Christ. Regardless of their disgusting corporate behaviour, if they disappeared tomorrow, there would be chaos and gnashing of markets.

Just because you don't like the color or smell of a supporting wall is no reason to blindly knock it down with no preparation.

Re:On the contrary, this is a Good Thing(tm)

[Ionizor]

*cough*

IIS has the biggest market share on web servers? Since when? According to every statistic I've seen, Apache has the biggest market share.

Also, your line of events ending in everyone adopting Linux and ditching NT is highly unlikely. Most of the NT boxes I've seen are run by morons - morons work cheap(er).

Re:On the contrary, this is a Good Thing(tm)

[The+Evil+Couch]

99.4% of all breakins are caused by known, unpatched vulnerabilities. Businesses that cannot take simple steps to keep their systems up to date should be shunned by privacy-conscious consumers. After all, when you hire a business, you are trusting them and their network to keep your data safe and operate reliably.

Agreed. If a program is a security liability, they need to either fix it or replace it. Electronic deadwood does no-one any good, no matter how pretty it is.

This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.

It depends on how smart and flexible MS is. They've finally been catching onto doing networking the smart way and if they start getting revealed as unsecure as they actually are, they may just fix themselves, and rake in the public attention, while the open source community whacks themselves on the forehead saying, "BUT WE'VE BEEN DOING IT THAT WAY, FOR FREE FOR YEARS!" Never underestimate MS's spin doctors or the public's gulibility.

This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm).

I like the concept of IT staff's importance about to take a big step up. Maybe I'll actually be able to get a job when I stop doing this shit for the Army, instead of fighting some kid for a tech support job or some crap like that.

Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

Speaking as an Army Sys-Admin, I can tell you that most of our users are too tech-stupid to use Linux, no matter how ridiculously easy the distro is. Windows will stay entrenched in the military. Other government sections may be smart enough to swap out to Linux, but the Army won't. We just don't have enough people that can find the "any" key.

all in all, the IT crowd and the public at large wins with this new law. slap an S or HR on it with a couple of numbers and I'll vote for whoever in Congress sponsors it.

Hello? It's only when confidential info is leaked.

[island_earth]

From the article:

California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.

This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.

A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.

Seems like a good law to me.

If applied correctly, this could be a good thing.

[nystul555]

I would have to say that this COULD be a good thing. It could provide incentive for companies to tighten security. And most importantly, in my mind, I would want to know as soon as possible if an information with my SSN, credit card numbers, etc had been hacked, so that I could keep a closer eye on my accounts and be ready to provide information to law enforcement and the credit agencies should my identity be stolen.

Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.

But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.

Mom and Pop

[geek]

Mom and Pop shops will be hurt by this. Notice this targets small busniess who probably run free software to reduce costs. Large companies can handle this, even find ways around it.

I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.

On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.

I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.

Be very careful, i.e. slippery slope

[geek]

Playing ignorant with law enforcment and the legal eagles is a dangerous path to take. I wouldn't advise anyone on it. They have much more time to screw with you than you do with them, and they play hardball. Not to mention they have the final word.

A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.

Kind of slanted viewpoint, isn't it?

[ethereal]

First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.

Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.

The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.

And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.

You want the truth?

You can't handle the truth!

Every day I stand on my wall watching for intruders and protecting my web servers. Web logs indicate that my servers survive a constant barrage of attacks.

Most attacks fail however every once in a while some lucky script kiddy, or spammer finds a chink in the armour.

Where do you draw the line on what needs to be reported? Last week a spammer found that a poorly configured formmail.pl script on one of my servers and used it to send their spam.

If the law allows judgement calls where a company is only required to report serious breaches then a company would try to have everything classified as trivial.

On the other hand if a company is required to report every possible breach then the company might try to flood the public with a bunch of trivial information like a formmail script that was abused for a few hours, and then try to bury a serious problem inside the noise.

Stupid...

[DannyO152]

Like a fox. Jane Legislator has to show the constituents that she's getting things done and preferably things that look good in the newsletter (because there is no significant news coverage of state legislative affairs.) Constituents are worried about their credit cards being stolen over the internet, so what to do? Make it against the law to steal the info? Been done. Make it against the law to enter into the servers? Been done. Make it against the law to not report that you've had a break-in? Bingo!!

So, it sails through committee, the floor, the other house because John and Joe Legislator want to be on record (and show in their newsletters) that they are doing something(tm) about that internet id theft.

After it's on the books, people look at it and realize that it is unclear, misguided, and not enforceable, but that wasn't the ultimate purpose was it? Plus fixing it or adding more practical legislation gives Joe, John, and Jane something to do next year.

DCMA and EULA conflicts???

[djfatbody]

Consider the recent RedHat patch that boiled down to "you should run this patch but we can't tell you why" and the lawsuits where large software giants have threatened lawsuits because possible exploits were released before they the company was notified and allowed to investigate internally. Is it possible that a company may disclose the details of its incident and end up in violation of the DCMA or their EULA's?