Slashdot Mirror
Notifications of Security Breaches
LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."
non-encrypted
So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.
"Even more compelling, this law applies worldwide, to any company doing business in the state,"
I doubt they're gonnna go round extraditing people for this.. probably just pick them up at the airport or somthing
And anotherthing... How exactly will you know if there has been a security breach? If I send data unencrypted anyone at any ISP along the way could potentialy be listening in without me ever knowing.
From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.
What if you don't know about it?
At least the article is geared to being honest.
US Democracy:The best person for the job (among These pre-selected choices...)
This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.
In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.
In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.
In my opinion, this law (or one like it) is a Good Thing (tm).
Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.
I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....
Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.
If only "...acquisition of computerized data in non-encrypted form by an unauthorized person" had been "...by a person not authorized by the company."
Technically they might have to, by law, inform you of all those secret searches being carried out under the TREASON - er - PATRIOT act, which forbids them from informing you.
The agents would be authorized by law, but not by the company.
Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.
This is purely notification for customers when customer information has been illegally accessed.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).
It says about reporting security BREACHES.
Which is a whole 'nother ball of wax.
If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.
On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....
Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
In my opinion, this law (or one like it) is a Good Thing (tm).
I'm not so sure. I have mixed emotions. On one hand, it's a good thing for companies to have to notify customers of an actual breech because it will require them to take data security seriously and take actual steps to prevent theft or at least make the theft of the data useless to a thief.
The problem is that this extends to all companies worldwide. Honestly, I don't see how this can be avoided, but it further sets the precedent that the laws of one locality's whim affect the whole 'Net. That's a problem from a censorship standpoint especially in this politically correct age where anything offensive is basically considered okay to censor.
If people in say that blogs are offensive to them and anyone who runs a blog is subject to some sort of fine or tax on blogs, then Slashdot and various users that have journals on Slashdot could end up having to pay said fine or tax to people that locality. It sounds far-fetched, but it's laws like this that slowly erode away individual rights that will eventually lead to the death of the 'Net as we know it.
Of course, I could just be talking completely out my ass and have no idea what I'm saying because IANAL, so take this with a grain of salt if you will.
So yeah, it IS a good thing don't get me wrong, but the vagueness of the law combined with it's supposed worldwide reach do have me a little concerned.
My journal has hot
Fortunately, the First Amendment would probably keep this kind of flippant taxation from ever working. Becides, perhaps I could put a disclaimer on my blog: "Do not read if you are in the following locales: x, y, z".
This law only directly affects businesses doing business in the state. There is a long and cherished history of local governments restricting buisinesses to a degree in their state.