Slashdot Mirror

← Back to Stories (view on slashdot.org)

Notifications of Security Breaches

Posted by michael on from the heard-it-through-the-grapevine dept.

LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."

14 of 130 comments (clear)

  1. Language? by CptChipJew · · Score: 5, Funny

    Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer.

    Dear Valued Taxpayer,

    Ihre Sozialversicherungzahl wurde von einem Hacker gestohlen. Er hat Ihre Identität gestohlen. Haben Sie einen schönen Tag.

    Sincerely,

    California Internal Revenue Service

    -This was Fished. I apologize for the bad German.

    --
    Vonal Declosion
  2. a new mail folder by JSmooth · · Score: 5, Funny

    So now we know when our info is violated...

    Dear __(name)__; On __(Date)__ at __(Time)__ your personal information was illegally acessed by "31337 Hackers", The FBI, Microsoft (circle all that apply).

    There is nothing you can do but the new law requires that we tell you. Neaner Neaner Neaner!

  3. Applications Lacking? by gerf · · Score: 5, Funny

    Really, this is a bare minimum of informing people. The few times this would apply is when something like this happens:

    Sorry, but we accidentally sent every SanFran registered voter's complete personal information to some accounting companies, rather than their 2002 ballots to be checked. And that information got lost in the mail. So, ah, all of your lives are floating out there somewhere in a canvas bag with U.S. Mail written on it. Sorry!

  4. Ah, good old EBG13 by Anonymous Coward · · Score: 5, Insightful

    non-encrypted

    So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.

    1. Re:Ah, good old EBG13 by iapetus · · Score: 5, Funny

      Certainly not. Lawmakers have at least vaguely cottoned on to how encryption strength is measured. They'd want ROT-52 at least, and ROT-156 for data with a higher security risk...

      --
      ++ Say to Elrond "Hello.".
      Elrond says "No.". Elrond gives you some lunch.
  5. Bad idea... by Anonymous Coward · · Score: 5, Insightful
    With the economy going like it is, I doubt the businesses can afford to spend the time monitoring for this sort of situation. Not to mention the ill-will this will generate among customers.

    From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.

  6. "there are no existing industry best practices" by BrynM · · Score: 5, Insightful
    I can see a whole bunch of managers cutting their security budgets right now. I assume that they have to find the breach before it can be reported...so... don't find security breaches. If the managers/executives/powers-that-be decide that the data is too general (like addresses and such), then why should they monitor the security and risk such a public exposure. "We have only had to announce three security breaches this month compared to our (honest) competitor who has had twenty-four. Wouldn't you rather do business with us?"

    At least the article is geared to being honest.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  7. This is intended to protect California consumers by Larthallor · · Score: 5, Insightful

    This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.

    In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.

    In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.

    In my opinion, this law (or one like it) is a Good Thing (tm).

  8. the mother of vagueness by zogger · · Score: 5, Insightful

    Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.

    I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....

    Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.

  9. Re:Worldwide law by kaltkalt · · Score: 5, Insightful

    It is very disingenuous to say it "applies worldwide" without noting that it applies to worldwide companies who are "doing business" in the state.

    As long as a company is doing business in the state, "doing business" defined as: having a registered agent in the state of California, having a physical office, contracting to do business with vendors in the state (parts manufacturers, suppliers), or having retail outlets in the state[.]

    If the company is purposely availing themselves in california, taking advantage of california laws in running its business (i.e. it gets to use CA laws to enforce its contracts, use california police to prevent its outlets from being robbed, etc.) then it is perfectly fair for the company to have to obey this law. If you are selling something on ebay it doesn't apply to you, so don't worry. This only applies to people who intentionally and knowningly do business in the state. Nobody who this law applies to is going to be shocked that "woah california laws apply to me?" They know or should know.

    --

    Stupid people make stupid things profitable.
  10. Re:I can see it now by GrandCow · · Score: 5, Interesting

    Actually... now that I think about it, I could possibly see a spam company getting with a large corporation, setting up a false break in, and sending the email to everyone in the company with their product (which was required by law to be sent) with the security breach message at the bottom.

    "Just trying to save you some time by combining these 2 emails into 1"

    --
    "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  11. Read the article by Mark+Bainter · · Score: 5, Insightful
    The law does not require them to report every time their web page is defaced.

    "Data" in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver's license number, account number, debit or credit card information. The caveat being that the data acquired has to be non-encrypted. Should a security breach occur to a database housing encrypted customer data, the law does not apply.

    Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.

    This is purely notification for customers when customer information has been illegally accessed.

    --
    "No nation could preserve its freedom in the midst of continual warfare."
    --James Madison
  12. Doesn't this just give them the right... by Anonymous Coward · · Score: 5, Funny

    ... to spam their customers?

    -----------------

    Dear valued customer (and CA taxpayer),

    I send you this letter to ask for your advice.

    Recently we had a security breach, and it is believed that your email address, social security and drivers license were all stolen.

    We know this is probably a bad thing, but we're not really sure. Anyway, while you're reading this letter, why not try some Viagra?

    Sincerely,

    Your Electric Company

  13. I find this fascinating all this Microsoft talk. by LO0G · · Score: 5, Insightful

    If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).

    It says about reporting security BREACHES.

    Which is a whole 'nother ball of wax.

    If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.

    On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....

    Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
    Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.