Slashdot Mirror

← Back to Stories (view on slashdot.org)

Notifications of Security Breaches

Posted by michael on from the heard-it-through-the-grapevine dept.

LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."

6 of 130 comments (clear)

  1. Re:Language? by Surak · · Score: 2, Interesting

    I'd say the Fish did a suprisingly good job with this, given it's history being useless as a tool for me to cheat with in Spanish class.

    It's not surprising, actually. While many people assume that English is based mostly on Latin, the fact is that English is a language that based partly on Latin and partly on German. The syntax for English is actually closer to German than to Latin, while the syntax for Spanish, French and other romantic languages is clearly closer to Latin (which is why when you learn Spanish, learning French or Italian [etc.] is a breeze ;).

    --
    My journal has hot /. gossip.
  2. Re:I can see it now by GrandCow · · Score: 5, Interesting

    Actually... now that I think about it, I could possibly see a spam company getting with a large corporation, setting up a false break in, and sending the email to everyone in the company with their product (which was required by law to be sent) with the security breach message at the bottom.

    "Just trying to save you some time by combining these 2 emails into 1"

    --
    "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  3. Funny? Try sad! by stewby18 · · Score: 2, Interesting

    While I wish that all the parent were is funny, this is probably closer to the truth of what many companies will do than any of us would like.

    It's incredibly easy to encrypt something without actually adding much, if any, security. It's just too easy to do wrong, and if all someone cares about is paying lip service to the law, then it will be done wrong in many, many companies.

  4. Does this apply to California Government? by WC+as+Kato · · Score: 4, Interesting

    Remember when Slashdot reported that the State of California got a database hacked and had the identity of all of their government employee's data comprimised?

    So with this law, the State of California would notify their employees that hackers have their data. Well, technically they did what they are proposing. Too bad this was after the Sacramento Bee newspaper reported it first! At least they provide a government link for help.

    When this law passes, the State of California should sue themselves into compliance!

    --
    --- I'm Green Hornet's sidekick not Inspector Clouseau's!
  5. It's not just about databases by shogarth · · Score: 2, Interesting

    One thing that came up in policy planning discussion is that this does not apply strictly to databases. (IANAL, but this came from the Legal department.)

    If you were to make a hard copy document that includes the relevant personal information (think employee records), the piece of paper is covered by this law. Unauthorized access to the document would trigger the reporting requirements. Access to the unencrypted information is being regulated.

    Hopefully non-techs are being told to lock file cabinets and shred old files.

  6. Re:"there are no existing industry best practices" by BrynM · · Score: 2, Interesting
    I think any manager cought doing this would play dumb and blame the admins and techs though. I personally have had higher-up tell me not to cc them on things or not to fully explain something just so they could play dumb without cracking a smile (not at my current job though). When I worked sales, we had a hand signal to give the manager when you just wanted him/her to say "no" dramatically to a customer request. I would say something like "Let me go ask my manager" and as I walked up to the manager I would give the "tell me 'No!'" signal. I wouldn't even relay the question the customer just asked, but the manager would blurt out "Absolutely not! We can't just give things away!" and get all blustery. By the time I made it back to the customer, the customer was feeling bad for making me look like a fool in front of my boss and I would get the sale the way I wanted. Eventually, when I moved out of sales and into IT, the same routine would happen, but the customer was a manager or employee from another department. I didn't like doing this, but it was how the game was played. I think the unscrupulous manager would find a way to avoid blame just as easily as they found a way to avoid the problem. Unfortunately, the tech who compains about not being listened to will probably get a severance package instead of attention.

    I guess I've become a bit cynical about this, but there is no way - especially in today's climate - that a company would spend more money putting on a good face when they could get the same result by spending less.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)