CA Law Demands Public Disclosure Of Break-Ins

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

But how do you enforce this?

[Halo-]

If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)

Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)

How about security auditng?

[gnovos]

"Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?

A good start, but flawed

[Duderstadt]

I support the general idea of informing people theat their supposedly confidential or private information has been leaked or stolen.

Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.

However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?

Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.

Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.

What constitutes an investigation?

[teamhasnoi]

If I look at logs every other day? If I run Zone Alarm? Look at the screen with a magnifying glass? If I hang out on IRC and talk to script kiddies? An email to Steve Gibson? Call Encyclopedia Brown? Invite the Hardy Boys over (or Nancy Drew...grrrrr;)? Ask the kids? Call the cops weekly? Write my congressman? Watch Mystery Science Theatre 3000? Type 'Hacker +"My Computer"' in Google? Dust for prints? Listen to Prince? Buy a fedora? Tape the X-Files? Eat a unidentified mushroom? Hang out near the computer books at Barnes & Noble? Watch '20/20'? Puzzle over a "Where's Waldo" Sunday comic? Post to alt.are.you.hacking.me? Hide some X10 cameras in my floppy drive? Respond to "FIND OUT ANYTHING ABOUT ANYONE!!!!!!!" spam? Read the label? Check behind me occasionally? Smelling my shirt to see if it's clean? Submit an Ask Slashdot?

Sounds like I could have an 'ongoing investigation' for the rest of my life.

Could have the opposite effect..

[EvilStein]

Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.

Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.