Slashdot Mirror
CA Law Demands Public Disclosure Of Break-Ins
AuntieMisha writes "BusinessWeek has an article about a new California law passed that
requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."
Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.
If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)
Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)
Small businesses can hire me as a security consultant. And I can do my consulting by hacking^H^H^H^H^H^H telecommuting my way into California from my New Hampshire home.
-- Thou hast strayed far from the path of the Avatar.
What does this law have to do with sticking up for the little guy? If a company that I have a stake in, ESPECIALLY if that stake is a good amount of money, I want to know if they're getting owned. If my investments aren't safe, I have a right to know. Granted, most financial institutions are federally insured, but that won't help me if Bob Hacker over here can make it look like I never invested in the first place. The matter is A LOT more of problem if I'm highly wealthy, in which case I'm SOL on any amount higher than 100k.
All in all, they have an obligation to tell the world, not just for their current customers, but to let potential future customers aware of the situation so that they can make sound, informed financial decisions.
Finally, math books without any of that base 6 crap in them.
Naw, Chief Wiggum.
"I'd rather let a thousand criminals go than chase aftert them..."
You think that I'm crazy, you should see this guy!
Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.
So you only have to disclose the break in if you don't have the ablity to investigate it and find out how to stop it from happening again?
So if you can prevent it from happening again you don't have to tell other people how to protect themselves. But if you can't protect yourself you have to tell the hacker that you don't know how to track them down and they should be sure and hack you again.
Why is it that when people go into politics they suddenly become stupid?
-jon
Computer Associates is writing laws now? And I thought Microsoft had influence with the gov..
oh, right, California...
It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.
In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.
?-|||-----x<*))))><
From the article:
California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.
This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.
A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.
Seems like a good law to me.
I would have to say that this COULD be a good thing. It could provide incentive for companies to tighten security. And most importantly, in my mind, I would want to know as soon as possible if an information with my SSN, credit card numbers, etc had been hacked, so that I could keep a closer eye on my accounts and be ready to provide information to law enforcement and the credit agencies should my identity be stolen.
Unless I misread the article, I get the feeling that by "investigation" they meant a legal investigation. If that is true, then businesses couldn't just start an internal investigation to put off disclosure forever. If this is not true, then well, it should be restricted to legal investigations only.
But again, I do think this is a good step in the right direction. When I give my personal data to a company, they need to manage it and secure it. I expect them to inform me if a problem occurs. With laws like this, they will have to.
So if your web server is hacked and defaced, you don't have to reveal anything. If your credit card database is hacked, you do.
I don't see the problem with this. As it is, confidential information is exposed, and no one knows about it.
Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.
What I'm listening to now on Pandora...
Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.
According to the filings, at 5:23 AM last Tuesday, Microsoft's network was "owned" by a hacker calling himself "Z3r0 kew10r". While the hacker refered to himself as "1337" in his defacement of Microsoft's webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.
In a press release accompanying the filing, Gates said: "t#1s punk th1nks h3's 1337 but h3's just a littl3 scr1p7 k1dd13 and i'm g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!"
>> The only loophole is if there is an ongoing investigation
I would like to point out that ongoinginvestigation.com is still available for registration. Imagine the business you'll get in California! Certainly it will be worth a few bucks a month to a company's reputation to hire you to keep the investigation ongoing.
Mom and Pop shops will be hurt by this. Notice this targets small busniess who probably run free software to reduce costs. Large companies can handle this, even find ways around it.
I agree with it to an extent. I have a feeling breakins are far more common than any of us truely know. Only by making this public will the problem get better. Constantly pushing it under the rug is how MS has gotten away with security problems for so long.
On the upside this law will help the IT industry since it'll create more IT jobs for network/security auiditing etc.
I hate to see goverment medle in business matters, however the tech industry doesn't seem capable/willing enough to handle the security issues alone. I know most people are sick of it, and when people get sick of it, they start passing laws. The tech industry really has no one to blame but itself.
"Breaking in" is an inherant part of security auditing, isn't it? In order to see if your computers are hackable one must, in fact, hack them. Would this law require that network security companies announce when they find a client's systems vulnerable, becuase technically it is a "break in"? If so, wouldn't the end result of that be companies completely ignoring security all together becuase the less they "know" about the break ins on thier own site, the less they have to report?
"Your superior intellect is no match for our puny weapons!"
Even though I don't think it will do any good for the prevention of such crimes as identity theft, perhaps it will send a message that a tighter grip is required for confidential data.
However, I see some problems. As one poster already noted, how do you enforce this if an admission has to be made voluntarily?
Also, the 'loophole' is wide enough to drive a Mack truck through. It would prove very handy to business or government entities that did not want to disclose that they had been hacked.
Of course, if the goverment really wants to help people who have had their private stuff lifted, perhaps the Feds should change the law so it is possible to get a new Social in case of theft. Your SSN can be used to create all sorts of havoc, but the Gov't will not give you another one, even if you can prove that someone is ruining your life with it. Very sad.
Playing ignorant with law enforcment and the legal eagles is a dangerous path to take. I wouldn't advise anyone on it. They have much more time to screw with you than you do with them, and they play hardball. Not to mention they have the final word.
A break in is unauthorized access. Period. It isn't even decided by the admin. What the admin wants is irrelevant, it's what the corporate executives want. If the execs don't want something open to the public, then someone publicly access it, the admin gets fired/sued and the person who broke in goes to jail. It's a very simple concept many of todays prima donna admins don't grasp.
Sounds like I could have an 'ongoing investigation' for the rest of my life.
Companies might just pour millions into Microsoft's own services. After all, Microsoft has pledged to make security its #1 priority these days.
Microsoft may just sell companies its own security and consulting services, or companies will simply hire any one of the thousands of unemployed paper MCSE drones that are now floating around.
First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.
Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.
The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.
And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.
Your right to not believe: Americans United for Separation of Church and
On one hand you have lawmakers calling hackers 'thugs' and 'criminals' because -- and this is generally after months of reporting the problem to, say, Microsoft -- they notify the public that there is a security hole.
NOW they're going to make it illegal to not notify the public. Is telling the world about a security breach irresponsible or isn't it?
Yeesh. I feel like the whole gang from Bloom County who didn't know if they were watching "F Troop" or CNN and thus whether they should be enjoying the carnage or not.
My
Limekiller
Microsoft.
0 break-ins reported, 7,435 break-ins currently being investigated.
I'm Mr. Average Invester.
I find out that my #1 favorite stock i dumped thousands into on the advice of my dentist has recently fallen victim to a 11 year old IRC junkie.
Do I:
a. invest more money in my company, showing appreciation for the companies candor.
b. Murmur something very Zen to myself about the strongest tree bending in the wind, while noteing the fact that no real damage was done.
c. put a humming bird to shame franticly clicking the refresh button on IE6, neuroticly waiting for the stock to move a tick up or down.
d. scream "SELL SELL SELL" into my cellphone while barely avoiding a headon collision in my SUV.
e. dump all of my money into precious metals and move to an obscure island nation in preperation for the inevitable global ecconomic collapse.
and.... pencils down.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
So if Ca. Congresscritter Berman's cyber vigilante bill passes, there will be a surefire method of dealing with pesky business competitors: attack their systems on the pretext that they might have some of your copyrighted data. If they report the breakin, they'll get bad publicity. If they don't report it, have your lawyers point out that fact to the appropriate authorites and they get busted for not reporting the breakin, also generating bad publicity for them. On the upside, this looks like a full-employment bill for security types.
After reading the text of SB1386 (the Bill referenced in this article) I think the Slashdot blurb on this was a bit misleading. California isn't demanding "Public Disclosure Of Break-Ins." This makes it sound like whenever there is a break in it must be disclosed. This isn't really the case. Notifications only have to take place when the following criteria is met: "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
(f) For purposes of this section, "personal information" does not
include publicly available information that is lawfully made
available to the general public from federal, state, or local
government records.
As for this "investigation" loophole this only applies to ongoing investigations being conducted by law enforcement agencies. I know that a large company may have a bit more clout in getting an investigation started, but even so they can only delay disclosure if "a
law enforcement agency determines that the notification will impede a
criminal investigation." So I'm not sure how big of a "loophole" this is.
As for the notification methods, it doesn't look like full public disclosure is what the bill is aiming at. It looks more like they just want the people who's information was compromised to be notified. Here is the section on notification:
(g) For purposes of this section, "notice" may be provided by one
of the following methods:
(1) Written notice.
(2) Electronic notice, if the notice provided is consistent with
the provisions regarding electronic records and signatures set forth
in Section 7001 of Title 15 of the United States Code.
(3) Substitute notice, if the agency demonstrates that the cost of
providing notice would exceed two hundred fifty thousand dollars
($250,000), or that the affected class of subject persons to be
notified exceeds 500,000, or the agency does not have sufficient
contact information. Substitute notice shall consist of all of the
following:
(A) E-mail notice when the agency has an e-mail address for the
subject persons.
(B) Conspicuous posting of the notice on the agency's Web site
page, if the agency maintains one.
(C) Notification to major statewide media.
(h) Notwithstanding subdivision (g), an agency that maintains its
own notification procedures as part of an information security policy
for the treatment of personal information and is otherwise
consistent with the timing requirements of this part shall be deemed
to be in compliance with the notification requirements of this
section if it notifies subject persons in accordance with its
policies in the event of a breach of security of the system.
So there doesn't appear to be what I would consider a "full disclosure" requirement anywhere in this. It looks like you've got to notify the people who's info got out, which seems reasonable to me.
Consider the recent RedHat patch that boiled down to "you should run this patch but we can't tell you why" and the lawsuits where large software giants have threatened lawsuits because possible exploits were released before they the company was notified and allowed to investigate internally. Is it possible that a company may disclose the details of its incident and end up in violation of the DCMA or their EULA's?