Slashdot Mirror
Notifications of Security Breaches
LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."
Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer.
Dear Valued Taxpayer,
Ihre Sozialversicherungzahl wurde von einem Hacker gestohlen. Er hat Ihre Identität gestohlen. Haben Sie einen schönen Tag.
Sincerely,
California Internal Revenue Service
-This was Fished. I apologize for the bad German.
Vonal Declosion
So now we know when our info is violated...
Dear __(name)__; On __(Date)__ at __(Time)__ your personal information was illegally acessed by "31337 Hackers", The FBI, Microsoft (circle all that apply).
There is nothing you can do but the new law requires that we tell you. Neaner Neaner Neaner!
Really, this is a bare minimum of informing people. The few times this would apply is when something like this happens:
Sorry, but we accidentally sent every SanFran registered voter's complete personal information to some accounting companies, rather than their 2002 ballots to be checked. And that information got lost in the mail. So, ah, all of your lives are floating out there somewhere in a canvas bag with U.S. Mail written on it. Sorry!
non-encrypted
So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.
And do pfishers have to tell California residents when they have stolen their credit card information?
"Even more compelling, this law applies worldwide, to any company doing business in the state,"
I doubt they're gonnna go round extraditing people for this.. probably just pick them up at the airport or somthing
And anotherthing... How exactly will you know if there has been a security breach? If I send data unencrypted anyone at any ISP along the way could potentialy be listening in without me ever knowing.
He didn't mention MS. Or do you assume that all posts about non-srecure OSes are about MS?
From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.
What if you don't know about it?
I don't see Microsoft moving HQ to California any time soon.
What 'platform' you think he/she might have implied instead?
Bot Assisted Blogging
At least the article is geared to being honest.
US Democracy:The best person for the job (among These pre-selected choices...)
Dear LookOut! user,
Your personal details were sent out to 169 countries including Nigeria.
Sincerely,
The HappyHour Virus
This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.
In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.
In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.
In my opinion, this law (or one like it) is a Good Thing (tm).
Dear Microsoft Customre,
Due to event A, please update your OS or buy winXP to secure your data..
Thanks,
Billie Goat Gates
Don't Tread on OpenSource
Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.
I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....
Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.
I posted the initial comment as an attempt at jest. Therefore it wasn't necessary to specify a specific OS since everyone has their own opinions on that very topic.
:)
Troll, Flamebait, Insightful moderations all show that my attempt was in vain.
Oh, I can't help quoting you because everything that you said rings true
If only "...acquisition of computerized data in non-encrypted form by an unauthorized person" had been "...by a person not authorized by the company."
Technically they might have to, by law, inform you of all those secret searches being carried out under the TREASON - er - PATRIOT act, which forbids them from informing you.
The agents would be authorized by law, but not by the company.
Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer
To: someoneinCA@aol.com
Subject: Grow your penis 10 inches in less than a day!
Greetings fellow soon to be elephant sized penis man. Let me take the time to tell you about a GUARANTEED and PROVEN method we've developed over 30 years to work perfectly the first time and give you up to 10 inches more in your member's length! All you have to do is realize that your wildest dream is about to come true and just click on our website and order our system! Under Civil Code 1798.82 your information was downloaded illegally by a hacker on July 10, 2003. Act now!
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
To Whom it May Concern:
On June 26, a middle level manager at our company opened an email claiming that a friend had sent him something "for him to see." This manager opened the email in Outlook Express. Approximately two hours later, the entire network was shut down, all of our databases were open to any traffic that wished to view it, and every computer in the department was forced to spend the rest of the day with a picture of a woman having sexual intercourse with a horse for a desktop image.
We appreciate your patience.
ATTACHMENT: klezz.txt
Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
While I wish that all the parent were is funny, this is probably closer to the truth of what many companies will do than any of us would like.
It's incredibly easy to encrypt something without actually adding much, if any, security. It's just too easy to do wrong, and if all someone cares about is paying lip service to the law, then it will be done wrong in many, many companies.
I don't know, but that was certainly too much "personal information."
Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.
This is purely notification for customers when customer information has been illegally accessed.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
Does this means that Microsoft will pull-out of California???
... to spam their customers?
-----------------
Dear valued customer (and CA taxpayer),
I send you this letter to ask for your advice.
Recently we had a security breach, and it is believed that your email address, social security and drivers license were all stolen.
We know this is probably a bad thing, but we're not really sure. Anyway, while you're reading this letter, why not try some Viagra?
Sincerely,
Your Electric Company
If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).
It says about reporting security BREACHES.
Which is a whole 'nother ball of wax.
If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.
On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....
Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
In my opinion, this law (or one like it) is a Good Thing (tm).
I'm not so sure. I have mixed emotions. On one hand, it's a good thing for companies to have to notify customers of an actual breech because it will require them to take data security seriously and take actual steps to prevent theft or at least make the theft of the data useless to a thief.
The problem is that this extends to all companies worldwide. Honestly, I don't see how this can be avoided, but it further sets the precedent that the laws of one locality's whim affect the whole 'Net. That's a problem from a censorship standpoint especially in this politically correct age where anything offensive is basically considered okay to censor.
If people in say that blogs are offensive to them and anyone who runs a blog is subject to some sort of fine or tax on blogs, then Slashdot and various users that have journals on Slashdot could end up having to pay said fine or tax to people that locality. It sounds far-fetched, but it's laws like this that slowly erode away individual rights that will eventually lead to the death of the 'Net as we know it.
Of course, I could just be talking completely out my ass and have no idea what I'm saying because IANAL, so take this with a grain of salt if you will.
So yeah, it IS a good thing don't get me wrong, but the vagueness of the law combined with it's supposed worldwide reach do have me a little concerned.
My journal has hot
Will this level of encryption suffice?
l
http://ccwf.cc.utexas.edu/~eclectic/toys/jive.htm
Remember when Slashdot reported that the State of California got a database hacked and had the identity of all of their government employee's data comprimised?
So with this law, the State of California would notify their employees that hackers have their data. Well, technically they did what they are proposing. Too bad this was after the Sacramento Bee newspaper reported it first! At least they provide a government link for help.
When this law passes, the State of California should sue themselves into compliance!
--- I'm Green Hornet's sidekick not Inspector Clouseau's!
Who do I call?
errr, goatsebusters?
Dear Valued Taxpayer,
Your social security number was stolen by a hacker. He stole your identity. Have a nice day.
Sincerely,
California Internal Revenue Service
Fortunately, the First Amendment would probably keep this kind of flippant taxation from ever working. Becides, perhaps I could put a disclaimer on my blog: "Do not read if you are in the following locales: x, y, z".
This law only directly affects businesses doing business in the state. There is a long and cherished history of local governments restricting buisinesses to a degree in their state.
See here for a good assessment of why the "worldwide" scope isn't really overreaching.
"From my cold, dead hands you damn, dirty apes!" - CH
Fortunately, the First Amendment would probably keep this kind of flippant taxation from ever working. Becides, perhaps I could put a disclaimer on my blog: "Do not read if you are in the following locales: x, y, z".
Yeah, because the first amendment has done such a wonderful job preventing laws like the DMCA from being passed.
My journal has hot
So...
/~mikeg
What they're saying is basically if I "encrypt" everything I store with rot13 then when someone breaks in and steals [insert favorite sensitive bit of data here] from my database I dont have to say a thing to anyone - after all, it was encrypted....
DUH!!!!!!
/~mikeg
One thing that came up in policy planning discussion is that this does not apply strictly to databases. (IANAL, but this came from the Legal department.)
If you were to make a hard copy document that includes the relevant personal information (think employee records), the piece of paper is covered by this law. Unauthorized access to the document would trigger the reporting requirements. Access to the unencrypted information is being regulated.
Hopefully non-techs are being told to lock file cabinets and shred old files.
Please install the attached patch at your earliest opportunity.
Now I have an excuse to encrypt everything AND stop doing business with California!
The first - just because. The second because this will benefit California lawyers more than any consumer. It means they can sue a Michigan company just because they sold something to someone in California once, and lawyers just love to jump on a case like that and bust someone for millions.
And since there is no effective prosecution of hackers, the company winds up getting screwed both ways.
To celebrate the occasion of my 1000th post, I will post no more forever on Slashdot. Goodbye.
Maybe companies will FINALLY encript their data. Virtually every break-in and theft of data I have ever read about would have been a non-story had they simply used encryption, even if using a 33 year old algorithm. Instead, there was no accountability, and thus no need to take common sence measures.
Now, there is.
If these posts aren't moderated back up by later this week (I get mod points about once a week), I'll fix the problem. I'm posting anonymously so that I'll hopefully be able to do so and so that if the ten-year-old still has mod points left, it won't hurt my +2 bonus.
Keep in mind this guy does have a financial interest in making sure that companies prepare for SB 1386, but with that said there's a pretty good reasource here. The FAQ goes over the basics pretty well and there's a good leagalese to english translation.
(Side note, I saw this guy speak at one of the Silicon Valley chapter ISSA meetings. The tone everyone had, especially from the Medical IT guys like myself, was this is going to be a HUGE headache next time a big worm comes around.)
Cheers,
-E2
The evil monkey commands you to dance.
Looks like the potential for some serious buck passing here, with everyone pointing fingers--> upstream to the companies, who will then turn around and point this way --> code and sales jocks.
Ya all devgeeks, LOOKOUT! CYA over there in cal, DOCUMENT THE LIVING HECK out of whatever you do know if it involves "cash" and "customer data" downstream anyplace.
lawyers/legislators -gotta love 'em! At least THEY know how to profit in a recession! heh heh heh
Idea! EVERYONE IN THE KNOWN UNIVERSE get a law degree! Then, CREATE new elected positions, and EVERYONE get elected to something! That'll solve that! No one has to work, we can all sit around and SUE each other,and pass laws against each other, perpetual economic and political motion, woohoo, solved!
I always thought "the company" refered to the CIA or some other super sekret government agency.
That's exactly what I'm missing here... How did Babelfish managed to translate it "Their"????
In English, we call everyone "you". We used to call them "thou" and "you" depending on whether there was one or more people being addressed.
Then, later, we started to use "you" as a politee address for individuals, because respected people were "more" than others. Eventually "you" took over and completely supplanted "thou".
In French, it's the same, except that "you" didn't take over: they still have the singular tu, but they use vous for plurals and as a mark of respect.
In Italian, it's even weirder: they still use tu informally, and voi to a group, but to say "you" politely, you use the word for "her". This is because, way back, they used to address people politely like "How is your lordship?" or "What does Your Excellency wish?". Eventually it got annoying to say "Your Lordship" all the time, so they started saying just "It" instead. But "excellency" and "lordship" are feminine in Italian, so "it" was actually "she".
I believe its the same reason in German. Originally the polite form of "you" (sie) stood for some title one used to refer politely to people, just like Herr originally meant "Lord".
LOL... This bill was probably lobbied by Encryption companies like RSA and the such :)
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
There are Tonnes of Bad Linux Installs out there... Probably almost as many as really insecure windows systems... Just because someone has a OS that has the ability of it being secure doesn't mean it actually is... Only diffrence between Linux and MS OS is you need to do some work to make a linux system secure.. MS OS Security though obsecurity.... I'll leave that there.
Who needs WiFi when we can have Packet Over Sheep! http://datacomm.org/PoS-InternetDraft.txt
Damn.
This is not SPAM. By law, I must inform you that your personal information may have been accidently retrieved by a hacker at the XYZ corporation. But if you buy our software today, you can prevent identity theft, SARS, and other horrible events from occuring.
what if i considered the unwanted access of my data to be 'trespassing', or 'conversion'; and not a security breach.
:o)
could i sue for $1.00?
i'll defend your rights to contest your parking tickets all the way to the gas chamber...
A review into the detention of hundreds of foreign nationals in the United States following the 11 September 2001 attacks has found significant problems in the way they were handled.
The report, by the inspector general of the US Justice Department, says some of the detainees were held in unduly harsh conditions and were subject to abuse.
The report looks into the cases of 762 people who were living in the US illegally and were detained in the 11 months following the attacks.
It concludes that some had to wait more than a month before being charged with any offence, and that they remained in custody for weeks without any investigations taking place as to whether they actually had any links to terrorism.
Restrictive conditions
The report is particularly critical of conditions at the Metropolitan detention centre in New York.
Eighty-four of the detainees were held there under what the report calls highly restrictive conditions, including being locked up for at least 23 hours per day.
They were also subject to escort procedures that included hand-cuffs, leg-irons and heavy chains; and a limit of one legal telephone call per week, which the report says prevented them from obtaining timely advice.
Some detainees also suffered a pattern of physical and verbal abuse at the centre.
The Justice Department says its actions were fully within the law, adding that it makes no apologies for finding every legal way possible to protect the American public from terrorist attacks.
Less is more !