Slashdot Mirror

← Back to Stories (view on slashdot.org)

CA Law Demands Public Disclosure Of Break-Ins

Posted by timothy on from the police-blotter dept.

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

11 of 188 comments (clear)

  1. Loophole by First_In_Hell · · Score: 1, Interesting
    The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.

    Wouldn't want those wacky hackers to know that people were on to them and actually investigating the crime! Who makes that decision? Chief Moose?

  2. But how do you enforce this? by Halo- · · Score: 5, Interesting

    If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)

    Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)

  3. Why? by websurf.net · · Score: 2, Interesting

    How can California insist that anyone make it public when they are hacked? Do they insist it is made public when a company is physically broken into? I doubt it. This will just cause companies to not even call the police in order to save their reputation.

  4. why not ? It is a good idea by Muad · · Score: 2, Interesting

    I second the point on smaller businesses not having the cash to maintain bogus investigations just to delay the release of information, but this can be easily fixed by establishing a deadline that cannot be easily stretched (something akin to "even with an investigation running, you must notify your customers within one month").

    Special clauses must mention that when sensitive information is compromised (trade secrets, credit card numbers, etc) customers should be notified IMMEDIATELY, barring a judge authorizing a delay of that to protect an investigation for justified, specific reasons - ie no blank checks should be given for non-disclosure.

    --
    --- "I didn't think anyone would understand it" -Prof. Bob Muller
  5. I don't see how this would be enforceable by DeadSea · · Score: 2, Interesting
    First of all, who decides what a break-in is? If somebody can access the data who is to say that the admin didn't want it that way? If the admin wanted it accessable, he shouldn't have to report every access to it.

    How about for break-ins that the admin didn't know happened? I can't imagine that this law would require reporting of something you don't know about. Any admin could feign ignorance of something to avoid reporting.

    Who is going to care if stuff isn't reported? If you don't report something, who is going to sue you? I can see a new type of hacker: "I broke in but you didn't report it, so now you owe me One Million Dollars (bwah hah hah)."

    What would the purpose of this law be anyway? For law enforcement to gather data? I didn't read the article or text of the law, so maybe some of my concerns are addressed. I don't see how it would ever work given the Slashdot writeup.

  6. How about security auditng? by gnovos · · Score: 3, Interesting

    "Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?

    --
    "Your superior intellect is no match for our puny weapons!"
  7. A good start, but flawed by Duderstadt · · Score: 3, Interesting
    I support the general idea of informing people theat their supposedly confidential or private information has been leaked or stolen.

    Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.

    However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?

    Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.

    Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.

  8. What constitutes an investigation? by teamhasnoi · · Score: 3, Interesting
    If I look at logs every other day? If I run Zone Alarm? Look at the screen with a magnifying glass? If I hang out on IRC and talk to script kiddies? An email to Steve Gibson? Call Encyclopedia Brown? Invite the Hardy Boys over (or Nancy Drew...grrrrr;)? Ask the kids? Call the cops weekly? Write my congressman? Watch Mystery Science Theatre 3000? Type 'Hacker +"My Computer"' in Google? Dust for prints? Listen to Prince? Buy a fedora? Tape the X-Files? Eat a unidentified mushroom? Hang out near the computer books at Barnes & Noble? Watch '20/20'? Puzzle over a "Where's Waldo" Sunday comic? Post to alt.are.you.hacking.me? Hide some X10 cameras in my floppy drive? Respond to "FIND OUT ANYTHING ABOUT ANYONE!!!!!!!" spam? Read the label? Check behind me occasionally? Smelling my shirt to see if it's clean? Submit an Ask Slashdot?

    Sounds like I could have an 'ongoing investigation' for the rest of my life.

  9. Why is their reputation that important? by rebill · · Score: 2, Interesting

    <Quote>

    Small businesses that don't have the resources to maintain an investigation will have their reputations ruined

    </Quote>

    I'm sorry, but if the choice is between their reputation and not knowing that some joker out there can steal my hard-earned cash at a moment's notice because he has my credit card information, I think I'd choose wrecking their reputation.

    --

    Chivalry is not dead, it's just frequently misspelt. - M. Langley

  10. Could have the opposite effect.. by EvilStein · · Score: 4, Interesting

    Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.

    Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.

  11. Get your facts straight by Duderstadt · · Score: 2, Interesting
    This will hurt Microsoft. Since IIS has the largest market share on web servers, they will be hit hardest when these security breaches come to light. People will realize that Linux is a more secure, easier-to-maintain alternative.

    What? Since when did IIS overtake Apache in web server market share?

    This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm). Never opened a small business, eh? Let me enlighten you. Most small business (under 50 employees) are sole proprietorships or partnerships started by either a single person or a small group of individuals with limited resources.

    These shops use MS Windows and IIS for the following reasons:
    1: It is similar to the machine used at home. For someone who has used Win9x or NTx Workstation, Windows Servers are pretty easy to get started with.
    2: Most of the services (file sharing, email, web) are free as in beer with Windows.
    3: It is prety easy to set up a decent site with Front Page.

    Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.

    Only in Linux Land. Since when did apt become easier than Windows Update?

    Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.

    Wrong again. I have contracted for the Fed and much of their critical stuff not only runs on MS, it is secure as all hell. In fact, the biggest vulnerabilty in the gov't systems I have seen has been the fact that several different platforms and apps are in use - a network admin's nightmare. (e.g. MS Windows of all vintages, SOLARIS, AS/400, OS/390, a dozen different databases, etc.)

    Please, not everything in the world that takes place is related to Linux. Give it a rest.