CA Law Demands Public Disclosure Of Break-Ins

AuntieMisha writes "BusinessWeek has an article about a new California law passed that requires businesses to publicly disclose information about break-ins. The only loophole is if there is an ongoing investigation and if the disclosure would harm the investigation. IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don't have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn't mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good."

Yay, verily

I think the California law is long overdue. In far too many instances, companies and governments have kept mum after they were hacked, seeking to preserve their reputations and avoid public outcry while their customers face risk of identity theft. Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.

Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit.

But how do you enforce this?

[Halo-]

If you don't report a break-in, how is anyone gonna know it happened? (Unless an employee narcs, at which point it becomes a messy paper/email/word-of-mouth trail)

Seriously, it's not like the CA government is gonna be able to "audit" companies like they do if they suspect fraud in other self reported areas. (Like tax fraud, emissions, etc...)

Re:But how do you enforce this?

[bovilexics]

From the article...

• Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions.

They (the CA government) don't need to audit or enforce anything. It is self-enforcing for those businesses that feel they may be sued and have to pay monetary payments for NOT reporting the incident. If a given company doesn't feel it can be successfully sued due to the incident then there probably wouldn't be a public reporting of it.

It's just a CYA that would have to be handled on a case by case basis for each company and wouldn't be enforced by auditors and the like.

How is this not good.

[glrotate]

Information asymmetry leads to inefficency, in this case through adverse selection. If my bank gets hax0r3d every other week their reputation should be tarnished. Also the article states that investigations by the federal government are exempt, not private investigations. This bill was constructed by consumer advocacy groups becasue it is good for consumers.

It's about time

[EggplantMan]

I'm sorry but I do not side with the submitter on this one. Any sort of forced disclosure in this arena is a step forward. If I am going to be trusting my personal info with a business I would like to know their security record. Just consider the recent scandals with Bell, and AOL for instance.

It seems like the submitter is a little too polarized on this issue, but I don't feel the compulsion to take every attempt to legislate order into the digital world as an insidious attempt to undermine small business.

In fact, why is it that Slashdot seems to think that any attempt to introduce order through legislation as a bad thing? Get a grip already. This isn't your 'internet' it's that of those who own the hardware. I find this false sense of ownership childish and tasteless.

Hello? It's only when confidential info is leaked.

[island_earth]

From the article:

California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised.

This isn't nearly as bad as the alarmist description at the top of this story. This doesn't say that Company B has to announce that their Web server was hacked to say "1 0wn U!" It says that the people affected by a break in (i.e., the people whose confidential records were exposed) must be notified.

A couple of years ago, I had to cancel a credit card after some charges from Russia showed up. Eventually it came out that an online retailer had lost a bunch of card numbers. They should have told me when it happened, not after my credit card company was ripped off.

Seems like a good law to me.

Re:The bigger picture

[Kamel+Jockey]

that won't help me if Bob Hacker over here can make it look like I never invested in the first place

For some of us, this could be a very good thing!

Some crucial missing words...

[Otter]

Note that this legislation "mandates public disclosure of computer-security breaches in which confidential information may have been compromised". It doesn't mean that any web server that gets owned has to be publically reported.

Maybe that's obvious to the submitter, but I was horrified that such a burdensome and unnecessary law was passed. And reading other posts, a lot of others didn't get it either.

Kind of slanted viewpoint, isn't it?

[ethereal]

First off: I submitted this yesterday with a much less biased writeup. "Luck of the editor", I guess. My overall /. submission record is now 2 and 16.

Second: the problem is not big business vs. small, or even public sector vs. private. The issue is confidential data about the public and what expectation the public should be able to place on those who promise confidentiality. I don't think it's unreasonable for the legislature to define what that expectation is, the same way they define what the expectations on a company are in terms of pollution or accounting or workplace safety. Businesses have to meet certain standards to operate in a particular region; doing what they say with respect to confidential customer data is just one more standard, and probably a more important one than some of the other standards a business has to meet.

The argument that disclosure harms enforcement and education is only true as long as disclosure isn't mandatory for all. Once there's no longer a choice about disclosure, the public will quickly learn who can be trusted, and law enforcement and the business community will quickly learn what are the most common security issues to address. The marketplace will quickly put an appropriate premium on security once this law forces information about lax security out into the open. It's an effective way of letting the public determine how important security is - this is a much better solution than the state just requiring a particular patch level or certification or something like that. We say we don't want the state dictating how software is written - ensuring full disclosure of software faults is a great way to allow the public more voice in determining the right tradeoff, rather than having the state do it.

And if a vulnerability is discovered for which there isn't a patch yet, some people ask whether the company should be in trouble for not taking their systems off the 'net and getting 0wn3d. Of course they should! Their inability to plan a secure and maintainable computing infrastructure should not necessitate the exposure of my personal data to all and sundry. Just like the BIA, if you can't show that you're secure, you need to be off the 'net. This will have the effect of placing a premium on computing platforms that are quicker to patch when security problems are found, likely making Open Source solutions more popular. All in all, it's a win-win-win situation once the adjustment period is complete.