Slashdot Mirror
CA Law Demands Public Disclosure Of Break-Ins
AuntieMisha writes "BusinessWeek has an article about a new California law passed that
requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."
Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.
If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)
Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)
Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.
-- Thou hast strayed far from the path of the Avatar.
What does this law have to do with sticking up for the little guy? If a company that I have a stake in, ESPECIALLY if that stake is a good amount of money, I want to know if they're getting owned. If my investments aren't safe, I have a right to know. Granted, most financial institutions are federally insured, but that won't help me if Bob Hacker over here can make it look like I never invested in the first place. The matter is A LOT more of problem if I'm highly wealthy, in which case I'm SOL on any amount higher than 100k.
All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.
Finally, math books without any of that base 6 crap in them.
Naw, Chief Wiggum.
"I'd rather let a thousand criminals go than chase aftert them..."
You think that I'm crazy, you should see this guy!
How can California insist that anyone make it public when they are hacked? Do they insist it is made public when a company is physically broken into? I doubt it. This will just cause companies to not even call the police in order to save their reputation.
Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.
So you only have to disclose the break in if you don't have the ablity to investigate it and find out how to stop it from happening again?
So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.
Why is it that when people go into politics they suddenly become stupid?
-jon
Computer Associates is writing laws now? And I thought Microsoft had influence with the gov..
oh, right, California...
I second the point on smaller businesses not having the cash to maintain bogus investigations just to delay the release of information, but this can be easily fixed by establishing a deadline that cannot be easily stretched (something akin to "even with an investigation running, you must notify your customers within one month").
Special clauses must mention that when sensitive information is compromised (trade secrets, credit card numbers, etc) customers should be notified IMMEDIATELY, barring a judge authorizing a delay of that to protect an investigation for justified, specific reasons - ie no blank checks should be given for non-disclosure.
--- "I didn't think anyone would understand it" -Prof. Bob Muller
It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.
In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
?-|||-----x<*))))><
How about for break-ins that the admin didn't know happened? I can't imagine that this law would require reporting of something you don't know about. Any admin could feign ignorance of something to avoid reporting.
Who is going to care if stuff isn't reported? If you don't report something, who is going to sue you? I can see a new type of hacker: "I broke in but you didn't report it, so now you owe me One Million Dollars (bwah hah hah)."
What would the purpose of this law be anyway? For law enforcement to gather data? I didn't read the article or text of the law, so maybe some of my concerns are addressed. I don't see how it would ever work given the Slashdot writeup.
From the article:
California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.
This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.
A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.
Seems like a good law to me.
I would have to say that this COULD be a good thing. It could provide incentive for companies to tighten security. And most importantly, in my mind, I would want to know as soon as possible if an information with my SSN, credit card numbers, etc had been hacked, so that I could keep a closer eye on my accounts and be ready to provide information to law enforcement and the credit agencies should my identity be stolen.
Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.
But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.
So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.
I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.
Excellent. Since companies will now fear losing their reputation, perhaps they will put more thought into the operating systems they choose for keeping customer information.
Up until now many companies don't seem to care that they use insecure MS products to store information since it didn't really matter to them if their customer's privacy was being violated. If this now affects the company's reputation, you bet they will care!
Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.
What I'm listening to now on Pandora...
Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.
According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.
In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"
>> The only loophole is if there is an ongoing investigation
I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.
Mom and Pop shops will be hurt by this. Notice this targets small busniess who probably run free software to reduce costs. Large companies can handle this, even find ways around it.
I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.
On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.
I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.
"Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?
"Your superior intellect is no match for our puny weapons!"
Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.
However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?
Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.
Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.
Playing ignorant with law enforcment and the legal eagles is a dangerous path to take. I wouldn't advise anyone on it. They have much more time to screw with you than you do with them, and they play hardball. Not to mention they have the final word.
A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.
Sounds like I could have an 'ongoing investigation' for the rest of my life.
<Quote>
Small businesses that don't have the resources to maintain an investigation will have their reputations ruined
</Quote>
I'm sorry, but if the choice is between their reputation and not knowing that some joker out there can steal my hard-earned cash at a moment's notice because he has my credit card information, I think I'd choose wrecking their reputation.
Chivalry is not dead, it's just frequently misspelt. - M. Langley
Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.
Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.
First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.
Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.
The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.
And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.
Your right to not believe: Americans United for Separation of Church and
``This is not good''
And ``see no evil, hear no evil, speak no evil'' is?
Break-ins are a reality. It happens. IMO it's better to be open about it. If I were a customer of a company whose network got cracked, I would rather know that it happened and what measures are being taken to prevent this in the future than to be told nothing and later find out by different means (possibly painful).
Openness could also result in a better understanding of what software/people/practices lead to lower or higher risks of break-in, and improve security accross the board.
I also disagree that this law favors large businesses. Small businesses can carry out investigations just as well, and even investigations carried out by large companies come to an end, after which the break-in has to be disclosed. Bogus investigations aren't harmed by disclosure, so that's not a real option. Wealthy corporations _do_ mess with laws to the detriment of small businesses in Real Life, but I don't see this law making it much worse.
Please correct me if I got my facts wrong.
On one hand you have lawmakers calling hackers 'thugs' and 'criminals' because -- and this is generally after months of reporting the problem to, say, Microsoft -- they notify the public that there is a security hole.
NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?
Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.
My
Limekiller
Microsoft.
0 break-ins reported, 7,435 break-ins currently being investigated.
What? Since when did IIS overtake Apache in web server market share?
This will create jobs. Small businesses who might have otherwise adopted IIS and foregone the overhead of an IT staff will be forced to take a more active role in keeping their systems secure. Although it may hurt some small businesses, the net overall effect is to redistribute wealth into our pockets and increase our pay overall, which is indisputably a Good Thing(tm). Never opened a small business, eh? Let me enlighten you. Most small business (under 50 employees) are sole proprietorships or partnerships started by either a single person or a small group of individuals with limited resources.
These shops use MS Windows and IIS for the following reasons:
1: It is similar to the machine used at home. For someone who has used Win9x or NTx Workstation, Windows Servers are pretty easy to get started with.
2: Most of the services (file sharing, email, web) are free as in beer with Windows.
3: It is prety easy to set up a decent site with Front Page.
Debian will benefit. Debian's "apt" facility is extremely simple for end-users to use and understand, and helps system administrators keep large numbers of boxes up to date without causing RPM hell or any other conflicts that one may experience when using a distribution like RH that does not regression test their patches.
Only in Linux Land. Since when did apt become easier than Windows Update?
Script kiddies will have to find new targets. The logical next step for script kiddies, once e-commerce sites have been secured, is government sites. This will encourage the government to adopt Linux more widely, in place of insecure and unreliable Windows NT systems. In fact, it may even create grounds for breaking their contract with Microsoft.
Wrong again. I have contracted for the Fed and much of their critical stuff not only runs on MS, it is secure as all hell. In fact, the biggest vulnerabilty in the gov't systems I have seen has been the fact that several different platforms and apps are in use - a network admin's nightmare. (e.g. MS Windows of all vintages, SOLARIS, AS/400, OS/390, a dozen different databases, etc.)
Please, not everything in the world that takes place is related to Linux. Give it a rest.
the article doesn't mention ...where a break-in occurs because of a(n) ... issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible...).
So companies/whatever which can't be bpthered to patch their holes get a buy? I don't think so.
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
You can't handle the truth!
Every day I stand on my wall watching for intruders and protecting my web servers. Web logs indicate that my servers survive a constant barrage of attacks.
Most attacks fail however every once in a while some lucky script kiddy, or spammer finds a chink in the armour.
Where do you draw the line on what needs to be reported? Last week a spammer found that a poorly configured formmail.pl script on one of my servers and used it to send their spam.
If the law allows judgement calls where a company is only required to report serious breaches then a company would try to have everything classified as trivial.
On the other hand if a company is required to report every possible breach then the company might try to flood the public with a bunch of trivial information like a formmail script that was abused for a few hours, and then try to bury a serious problem inside the noise.
I'm Mr. Average Invester.
I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.
Do I:
a. invest more money in my company, showing appreciation for the companies candor.
b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.
and.... pencils down.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
AppAssure lets you watch your data center 24 x 7,
even when you're not there. More Info
Laws like these will force companies away from overly insecure Microsoft products and force them to actually care about security. With a more concerted effort towards IT security, our personal data will become safer, and alot of high paying security and Linux related jobs should open up. Why would anyone here complain?
Comment removed based on user account deletion
1. Buy Microsoft products
2. Exploit MS security holes
3. Disclose information about the break-in
4. ???
5. Profit!
May I be excused, now?
Any sufficiently well-organized community is indistinguishable from Government.
No, because
The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation.
Emphasis added.
Lacking <sarcasm> tags,
Like a fox. Jane Legislator has to show the constituents that she's getting things done and preferably things that look good in the newsletter (because there is no significant news coverage of state legislative affairs.) Constituents are worried about their credit cards being stolen over the internet, so what to do? Make it against the law to steal the info? Been done. Make it against the law to enter into the servers? Been done. Make it against the law to not report that you've had a break-in? Bingo!!
So, it sails through committee, the floor, the other house because John and Joe Legislator want to be on record (and show in their newsletters) that they are doing something(tm) about that internet id theft.
After it's on the books, people look at it and realize that it is unclear, misguided, and not enforceable, but that wasn't the ultimate purpose was it? Plus fixing it or adding more practical legislation gives Joe, John, and Jane something to do next year.
So if Ca. Congresscritter Berman's cyber vigilante bill passes, there will be a surefire method of dealing with pesky business competitors: attack their systems on the pretext that they might have some of your copyrighted data. If they report the breakin, they'll get bad publicity. If they don't report it, have your lawyers point out that fact to the appropriate authorites and they get busted for not reporting the breakin, also generating bad publicity for them. On the upside, this looks like a full-employment bill for security types.
I believe the assumption is that if there is any kind of personal/private information on customers stored there, people should have a right to know that it has been potentially stolen.
If the video store is broken into, and someone steals some tapes, I don't care.
If their database of customers and credit card info, identification, lending habits, etcetera, is stolen, I want to know about it.
Take that, US Gov!
Bye!
What's funny/scary is that someone used your card to buy a wife, opium, or a suitcase nuke..possibly all 3 depending on your limit.
Finally, math books without any of that base 6 crap in them.
Big corporations will have an internal investigation department and thrus never reveal nothing...
Small corporations will simply classify the event as "computer malfunction" and reinstall all the software and document the event as such...
In the end, California will be the only place in the world where there isn't any break in at all... at least reported publicly...
Cheers...
It's almost never in the public's best interest to hide vulnerabilities from them, even if there's no solution. If one person has exploited one system, there are almost certainly other victims and the numbers will almost certainly continue to grow. Most are probably undetected.
Even if there is no fix out there, it gives people the option to reevaluate the need to run the system, and also consider switching solutions/vendors. The "bad guys" are going to know if you say somethign or not, while telling all of the innocent bystanders lets at least some of them protect themselves.
Copyright Violation:"theft, piracy"::Anti-Trust Violation:"thermonuclear price terrorism"<-Overly dramatic language.
After reading the text of SB1386 (the Bill referenced in this article) I think the Slashdot blurb on this was a bit misleading. California isn't demanding "Public Disclosure Of Break-Ins." This makes it sound like whenever there is a break in it must be disclosed. This isn't really the case. Notifications only have to take place when the following criteria is met: "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
law enforcement agency determines that the notification will impede a
criminal investigation." So I'm not sure how big of a "loophole" this is.
As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.
How often do you read about new laws from Mississippi?
Consider the recent RedHat patch that boiled down to "you should run this patch but we can't tell you why" and the lawsuits where large software giants have threatened lawsuits because possible exploits were released before they the company was notified and allowed to investigate internally. Is it possible that a company may disclose the details of its incident and end up in violation of the DCMA or their EULA's?
> Also, the article doesn't mention the contingency
> where a break-in occurs because of a
> software/hardware issue for which there is no
> released technical solution (i.e. anyone else who
> has software X would be susceptible to the same
> type of break-in). This is not good."
If "software X" (e.g., IIS) is broken quit using it. If you can't figure out any way to secure your system short of taking down your server, tough shit. "We can't figure out any other way to do it" is no excuse for compromising your customer's confidential information.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Does the company have to be incorporated in CA, have offices there, or just their servers? Also, does the break in have to happen in California, or do they have to report it if the CA companies datacenter in New York gets hacked?
What are we going to do tonight Brain?
It may be too much to ask that people submitting items that reference published articles read the articles first. But, as often seems to happen, the Slashdot "editors" didn't read the article either. This isn't going to improve their job prospects after VA Linux/Software/Burgers/whatever finally tanks..
This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
I say, bullshit. The net is mostly built on public right of way. That makes it mine, yours too unfortunately. The order of slavery is enforced by brute repression. In any case, the net will be worthless without mass participation or it becomes a one way push fest like TV or something. Oh yeah, we own the airwaves too, I keep forgeting that.
Eggplant man, does that mean "eat me"?
Friends don't help friends install M$ junk.
1. Buy Microsoft products
2. Exploit MS security holes
3. Short MSFT
4. Disclose information about the break-in
5. Profit!