Notifications of Security Breaches

LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."

Language?

[CptChipJew]

Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer.

Dear Valued Taxpayer,

Ihre Sozialversicherungzahl wurde von einem Hacker gestohlen. Er hat Ihre Identität gestohlen. Haben Sie einen schönen Tag.

Sincerely,

California Internal Revenue Service

-This was Fished. I apologize for the bad German.

Re:Language?

[damiangerous]

English is a Germanic language. It's only very distantly related to Latin, however, nearly half the vocabulary is Latin or French (romance) loan words (which is where your "partly based on" assumption probably came from). But English grammar is overwhelmingly Germanic, which betrays its true origins. To see where English came from, look at Icelandic. It's a language that has changed very little in 1,000 years and is very, very close to Old English. The main Latin influence came in the first half of the last millenia, during the Norman invasion of Britain, and the English language was nearly wiped out under the French/Latin dominance. This is the period where all the Latin influence came from. But when English returned to prominance in the 15th century as Middle English it had become basically the language we know today. Vowel and consonant sounds have changed greatly, but the language has remained fundamentally the same for the past 400 years or so.

a new mail folder

[JSmooth]

So now we know when our info is violated...

Dear __(name)__; On __(Date)__ at __(Time)__ your personal information was illegally acessed by "31337 Hackers", The FBI, Microsoft (circle all that apply).

There is nothing you can do but the new law requires that we tell you. Neaner Neaner Neaner!

Applications Lacking?

[gerf]

Really, this is a bare minimum of informing people. The few times this would apply is when something like this happens:

Sorry, but we accidentally sent every SanFran registered voter's complete personal information to some accounting companies, rather than their 2002 ballots to be checked. And that information got lost in the mail. So, ah, all of your lives are floating out there somewhere in a canvas bag with U.S. Mail written on it. Sorry!

Ah, good old EBG13

non-encrypted

So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.

Re:Ah, good old EBG13

[blibbleblobble]

"So just ROT13 everything and the law goes bye bye Hell, it worked for Adobe."

Is ROT-26 encryption not strong enough for california law?

Re:Ah, good old EBG13

[iapetus]

Certainly not. Lawmakers have at least vaguely cottoned on to how encryption strength is measured. They'd want ROT-52 at least, and ROT-156 for data with a higher security risk...

Worldwide law

[Fembot]

"Even more compelling, this law applies worldwide, to any company doing business in the state,"

I doubt they're gonnna go round extraditing people for this.. probably just pick them up at the airport or somthing

And anotherthing... How exactly will you know if there has been a security breach? If I send data unencrypted anyone at any ISP along the way could potentialy be listening in without me ever knowing.

Re:Worldwide law

[kaltkalt]

It is very disingenuous to say it "applies worldwide" without noting that it applies to worldwide companies who are "doing business" in the state.

As long as a company is doing business in the state, "doing business" defined as: having a registered agent in the state of California, having a physical office, contracting to do business with vendors in the state (parts manufacturers, suppliers), or having retail outlets in the state[.]

If the company is purposely availing themselves in california, taking advantage of california laws in running its business (i.e. it gets to use CA laws to enforce its contracts, use california police to prevent its outlets from being robbed, etc.) then it is perfectly fair for the company to have to obey this law. If you are selling something on ebay it doesn't apply to you, so don't worry. This only applies to people who intentionally and knowningly do business in the state. Nobody who this law applies to is going to be shocked that "woah california laws apply to me?" They know or should know.

Bad idea...

With the economy going like it is, I doubt the businesses can afford to spend the time monitoring for this sort of situation. Not to mention the ill-will this will generate among customers.

From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.

*All* breaches?

[42forty-two42]

What if you don't know about it?

"there are no existing industry best practices"

[BrynM]

I can see a whole bunch of managers cutting their security budgets right now. I assume that they have to find the breach before it can be reported...so... don't find security breaches. If the managers/executives/powers-that-be decide that the data is too general (like addresses and such), then why should they monitor the security and risk such a public exposure. "We have only had to announce three security breaches this month compared to our (honest) competitor who has had twenty-four. Wouldn't you rather do business with us?"

At least the article is geared to being honest.

Re:"there are no existing industry best practices"

[poot_rootbeer]

I assume that they have to find the breach before it can be reported...so... don't find security breaches.

Any security professional employed by a reputable company will cough and sputter at the idiocy of such a suggestion.

Of course, that doesn't preclude bean-counters or decision-makers from higher up from forcing such a policy into effect anyway...

This is intended to protect California consumers

[Larthallor]

This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.

In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.

In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.

In my opinion, this law (or one like it) is a Good Thing (tm).

the mother of vagueness

[zogger]

Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.

I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....

Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.

Oh, this could have been so fun

[Quila]

If only "...acquisition of computerized data in non-encrypted form by an unauthorized person" had been "...by a person not authorized by the company."

Technically they might have to, by law, inform you of all those secret searches being carried out under the TREASON - er - PATRIOT act, which forbids them from informing you.

The agents would be authorized by law, but not by the company.

I can see it now

[GrandCow]

Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer

To: someoneinCA@aol.com
Subject: Grow your penis 10 inches in less than a day!

Greetings fellow soon to be elephant sized penis man. Let me take the time to tell you about a GUARANTEED and PROVEN method we've developed over 30 years to work perfectly the first time and give you up to 10 inches more in your member's length! All you have to do is realize that your wildest dream is about to come true and just click on our website and order our system! Under Civil Code 1798.82 your information was downloaded illegally by a hacker on July 10, 2003. Act now!

Re:I can see it now

[GrandCow]

Actually... now that I think about it, I could possibly see a spam company getting with a large corporation, setting up a false break in, and sending the email to everyone in the company with their product (which was required by law to be sent) with the security breach message at the bottom.

"Just trying to save you some time by combining these 2 emails into 1"

Read the article

[Mark+Bainter]

The law does not require them to report every time their web page is defaced.

"Data" in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver's license number, account number, debit or credit card information. The caveat being that the data acquired has to be non-encrypted. Should a security breach occur to a database housing encrypted customer data, the law does not apply.

Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.

This is purely notification for customers when customer information has been illegally accessed.

Doesn't this just give them the right...

... to spam their customers?

-----------------

Dear valued customer (and CA taxpayer),

I send you this letter to ask for your advice.

Recently we had a security breach, and it is believed that your email address, social security and drivers license were all stolen.

We know this is probably a bad thing, but we're not really sure. Anyway, while you're reading this letter, why not try some Viagra?

Sincerely,

Your Electric Company

I find this fascinating all this Microsoft talk.

[LO0G]

If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).

It says about reporting security BREACHES.

Which is a whole 'nother ball of wax.

If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.

On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....

Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.

Does this apply to California Government?

[WC+as+Kato]

Remember when Slashdot reported that the State of California got a database hacked and had the identity of all of their government employee's data comprimised?

So with this law, the State of California would notify their employees that hackers have their data. Well, technically they did what they are proposing. Too bad this was after the Sacramento Bee newspaper reported it first! At least they provide a government link for help.

When this law passes, the State of California should sue themselves into compliance!