Slashdot Mirror
Notifications of Security Breaches
LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."
Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer.
Dear Valued Taxpayer,
Ihre Sozialversicherungzahl wurde von einem Hacker gestohlen. Er hat Ihre Identität gestohlen. Haben Sie einen schönen Tag.
Sincerely,
California Internal Revenue Service
-This was Fished. I apologize for the bad German.
Vonal Declosion
So now we know when our info is violated...
Dear __(name)__; On __(Date)__ at __(Time)__ your personal information was illegally acessed by "31337 Hackers", The FBI, Microsoft (circle all that apply).
There is nothing you can do but the new law requires that we tell you. Neaner Neaner Neaner!
Really, this is a bare minimum of informing people. The few times this would apply is when something like this happens:
Sorry, but we accidentally sent every SanFran registered voter's complete personal information to some accounting companies, rather than their 2002 ballots to be checked. And that information got lost in the mail. So, ah, all of your lives are floating out there somewhere in a canvas bag with U.S. Mail written on it. Sorry!
non-encrypted
So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.
And do pfishers have to tell California residents when they have stolen their credit card information?
"Even more compelling, this law applies worldwide, to any company doing business in the state,"
I doubt they're gonnna go round extraditing people for this.. probably just pick them up at the airport or somthing
And anotherthing... How exactly will you know if there has been a security breach? If I send data unencrypted anyone at any ISP along the way could potentialy be listening in without me ever knowing.
From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.
What if you don't know about it?
I don't see Microsoft moving HQ to California any time soon.
At least the article is geared to being honest.
US Democracy:The best person for the job (among These pre-selected choices...)
This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.
In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.
In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.
In my opinion, this law (or one like it) is a Good Thing (tm).
Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.
I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....
Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.
If only "...acquisition of computerized data in non-encrypted form by an unauthorized person" had been "...by a person not authorized by the company."
Technically they might have to, by law, inform you of all those secret searches being carried out under the TREASON - er - PATRIOT act, which forbids them from informing you.
The agents would be authorized by law, but not by the company.
Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer
To: someoneinCA@aol.com
Subject: Grow your penis 10 inches in less than a day!
Greetings fellow soon to be elephant sized penis man. Let me take the time to tell you about a GUARANTEED and PROVEN method we've developed over 30 years to work perfectly the first time and give you up to 10 inches more in your member's length! All you have to do is realize that your wildest dream is about to come true and just click on our website and order our system! Under Civil Code 1798.82 your information was downloaded illegally by a hacker on July 10, 2003. Act now!
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
To Whom it May Concern:
On June 26, a middle level manager at our company opened an email claiming that a friend had sent him something "for him to see." This manager opened the email in Outlook Express. Approximately two hours later, the entire network was shut down, all of our databases were open to any traffic that wished to view it, and every computer in the department was forced to spend the rest of the day with a picture of a woman having sexual intercourse with a horse for a desktop image.
We appreciate your patience.
ATTACHMENT: klezz.txt
Libertarians somehow believe that private businesses should be stronger than governments but weaker than individuals.
Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.
This is purely notification for customers when customer information has been illegally accessed.
"No nation could preserve its freedom in the midst of continual warfare."
--James Madison
... to spam their customers?
-----------------
Dear valued customer (and CA taxpayer),
I send you this letter to ask for your advice.
Recently we had a security breach, and it is believed that your email address, social security and drivers license were all stolen.
We know this is probably a bad thing, but we're not really sure. Anyway, while you're reading this letter, why not try some Viagra?
Sincerely,
Your Electric Company
If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).
It says about reporting security BREACHES.
Which is a whole 'nother ball of wax.
If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.
On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....
Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
In my opinion, this law (or one like it) is a Good Thing (tm).
I'm not so sure. I have mixed emotions. On one hand, it's a good thing for companies to have to notify customers of an actual breech because it will require them to take data security seriously and take actual steps to prevent theft or at least make the theft of the data useless to a thief.
The problem is that this extends to all companies worldwide. Honestly, I don't see how this can be avoided, but it further sets the precedent that the laws of one locality's whim affect the whole 'Net. That's a problem from a censorship standpoint especially in this politically correct age where anything offensive is basically considered okay to censor.
If people in say that blogs are offensive to them and anyone who runs a blog is subject to some sort of fine or tax on blogs, then Slashdot and various users that have journals on Slashdot could end up having to pay said fine or tax to people that locality. It sounds far-fetched, but it's laws like this that slowly erode away individual rights that will eventually lead to the death of the 'Net as we know it.
Of course, I could just be talking completely out my ass and have no idea what I'm saying because IANAL, so take this with a grain of salt if you will.
So yeah, it IS a good thing don't get me wrong, but the vagueness of the law combined with it's supposed worldwide reach do have me a little concerned.
My journal has hot
Remember when Slashdot reported that the State of California got a database hacked and had the identity of all of their government employee's data comprimised?
So with this law, the State of California would notify their employees that hackers have their data. Well, technically they did what they are proposing. Too bad this was after the Sacramento Bee newspaper reported it first! At least they provide a government link for help.
When this law passes, the State of California should sue themselves into compliance!
--- I'm Green Hornet's sidekick not Inspector Clouseau's!