Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Security

Notifications of Security Breaches 130

LogError writes "On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply."
This discussion has been archived. No new comments can be posted.

Notifications of Security Breaches

Comments Filter:
  • Language? (Score:5, Funny)

    by CptChipJew ( 301983 ) * <michaelmillerNO@SPAMgmail.com> on Monday June 02, 2003 @06:38AM (#6094505) Journal
    Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer.

    Dear Valued Taxpayer,

    Ihre Sozialversicherungzahl wurde von einem Hacker gestohlen. Er hat Ihre Identität gestohlen. Haben Sie einen schönen Tag.

    Sincerely,

    California Internal Revenue Service

    -This was Fished [altavista.com]. I apologize for the bad German.
    • by botzi ( 673768 )
      Uuuhhhhhh.....

      Their social security number was stolen by a hacker. He stole your identity. Have a beautiful day.



      This was BackFished [altavista.com]...

      Why do I feel so sure that that's not so close to what you wrote????;o)))))

      • Re:Language? (Score:2, Informative)

        by TCM ( 130219 )
        It is close to what he wrote.

        A "better" translation:

        Your SSN was stolen by a hacker. He stole your identity. Have a nice day.

        Good Job on Babelfish's side, although the original german expression was very simple and the last sentence expressed in a more-english-than-german-only-literally-translated style. This might have helped Babelfish.
        • Your SSN was stolen by a hacker.

          That's exactly what I'm missing here... How did Babelfish managed to translate it "Their"???? Is the pronoun he wrote down "Their" or "Your"??? 'Cause if it's Your and the Fish translates it Their.... well, hell buddy..... (the second your looks good, though)
          If on the other side he's written "Their"....;o)))))).. I've re-run the translation and, *of course*, it produced the same result....(otherwise I'd have been even more puzzled;o?)

          • Re:Language? (Score:3, Informative)

            by CptChipJew ( 301983 ) *
            To clarify for all you, I wrote this text:

            Your Social Security Number was stolen by a hacker. He also stole your identity. Have a nice day.

            I'd say the Fish [altavista.com] did a suprisingly good job with this, given it's history being useless as a tool for me to cheat with in Spanish class.
            • 10x;o).

              What actually bothers me is :
              Being totally clueless in German(I'll learn it soon, don't doubt it..) I suppose that the word "Ihre", present in the first and second phrase is Your....
              Well the heck, what kind of a bug may force Babelfish to totally screw it on the first occurence and correctly translate it on the second one???
              It's a simple word with no multiple meaning, or am I wrong????

              • Re:Language? (Score:2, Informative)

                by TCM ( 130219 )
                I guess it's the capitalisation. "ihre" is "their" while "Ihre" is mostly "your" in a more formal way. Babelfish seems to have trouble with the capitalised "Ihre" and not noticing/knowing what to do with it at the beginning of a sentence.

                Whatever..
            • Re:Language? (Score:3, Interesting)

              by Surak ( 18578 ) *
              I'd say the Fish did a suprisingly good job with this, given it's history being useless as a tool for me to cheat with in Spanish class.

              It's not surprising, actually. While many people assume that English is based mostly on Latin, the fact is that English is a language that based partly on Latin and partly on German. The syntax for English is actually closer to German than to Latin, while the syntax for Spanish, French and other romantic languages is clearly closer to Latin (which is why when you learn
              • Re:Language? (Score:5, Informative)

                by damiangerous ( 218679 ) <1ndt7174ekq80001@sneakemail.com> on Monday June 02, 2003 @09:08AM (#6095426)
                English is a Germanic language. It's only very distantly related to Latin, however, nearly half the vocabulary is Latin or French (romance) loan words (which is where your "partly based on" assumption probably came from). But English grammar is overwhelmingly Germanic, which betrays its true origins. To see where English came from, look at Icelandic. It's a language that has changed very little in 1,000 years and is very, very close to Old English. The main Latin influence came in the first half of the last millenia, during the Norman invasion of Britain, and the English language was nearly wiped out under the French/Latin dominance. This is the period where all the Latin influence came from. But when English returned to prominance in the 15th century as Middle English it had become basically the language we know today. Vowel and consonant sounds have changed greatly, but the language has remained fundamentally the same for the past 400 years or so.
                • Exactly. I oversimplified it because A) it was already offtopic and B) I made my point anyway (that English and German are far more similar than English and other so-called romance languages.) ;)
                • There's a book I'm reading now called
                  'The Power of Babel: A Natural History of Language' which I recommend if you're interested in
                  languages but not a linguist.
          • Re:Language? (Score:2, Informative)

            by LordNimon ( 85072 )
            The pronouns for "you" and "they" are the same. I know, it sucks.
          • Re:Language? (Score:2, Informative)

            by Golthar ( 162696 )
            In German and Dutch you have two ways of saying you.
            Du = you in German in a less formal way (close relatives, friends, etc)
            Ihr(e) = you in German in a more formal way (Like to your boss or people you owe money too)
          • Re:Language? (Score:3, Informative)

            by Shimbo ( 100005 )
            How did Babelfish managed to translate it "Their"

            It's a polite form: just as in English we used to use the plural "you" instead of "thee" as a mark of respect. In German, you use the third-party plural and capitalize it.

            That's why the second your is OK. It's not ambiguous because it's capitalized in the middle of the sentence. Who said natural languages aren't case-sensitive?
          • That's exactly what I'm missing here... How did Babelfish managed to translate it "Their"????

            In English, we call everyone "you". We used to call them "thou" and "you" depending on whether there was one or more people being addressed.

            Then, later, we started to use "you" as a politee address for individuals, because respected people were "more" than others. Eventually "you" took over and completely supplanted "thou".

            In French, it's the same, except that "you" didn't take over: they still have the singul
    • Ah, now if only you had used Basque, or try an endangered language [u-tokyo.ac.jp], then your clever ploy would have worked.
    • Dear Valued Taxpayer,

      Your social security number was stolen by a hacker. He stole your identity. Have a nice day.

      Sincerely,

      California Internal Revenue Service
    • "California Internal Revenue Service "

      Actually it's the Franchise Tax Board [ca.gov] of all the stupid damn names. Like I'm a franchise outlet of my Mom or something. Look at their mission run on sentencrrr... Mission Statement:

      The purpose of the Franchise Tax Board is to collect the proper amount of tax revenue, and operate other programs entrusted to us, at the least cost; serve the public by continually improving the quality of our products and services; and perform in a manner warranting the highest degree

  • by JSmooth ( 325583 ) on Monday June 02, 2003 @06:42AM (#6094520)
    So now we know when our info is violated...

    Dear __(name)__; On __(Date)__ at __(Time)__ your personal information was illegally acessed by "31337 Hackers", The FBI, Microsoft (circle all that apply).

    There is nothing you can do but the new law requires that we tell you. Neaner Neaner Neaner!
    • Thanks! I'll be adding that to my Kmail filters right away! ;)
      • You may want to consider ALWAYS filtering "neaners". Let's face anyone who actually know how to spell "neaner" should be avoided.

        I became a child when I shot my eye out with a bb gun

        I became a teenager when I followed the crowd and drank, smoke, did drugs and had sex with anything that moved.

        I became an adult when I realized I was the kind of person my mother use to warn me about.

        It was a busy day.
    • Well... Thats too easy to remedy... Just Rot13 Encrypt everything and your good to have a really insecure network that you don't have to tell anyone thats its in a constant state of being browsed and decoded... They should have set a minimum level of Encryption Its not so bad when all your info get stolen when its Securely encrypted with a secure key.. Then people should be notified if the key/mechanism to decrypt was obtained aswell.
  • by gerf ( 532474 ) on Monday June 02, 2003 @06:44AM (#6094532) Journal

    Really, this is a bare minimum of informing people. The few times this would apply is when something like this happens:

    Sorry, but we accidentally sent every SanFran registered voter's complete personal information to some accounting companies, rather than their 2002 ballots to be checked. And that information got lost in the mail. So, ah, all of your lives are floating out there somewhere in a canvas bag with U.S. Mail written on it. Sorry!

  • Ah, good old EBG13 (Score:5, Insightful)

    by Anonymous Coward on Monday June 02, 2003 @06:44AM (#6094533)
    non-encrypted

    So just ROT13 everything and the law goes bye bye. Hell, it worked for Adobe.
  • by Tsu Dho Nimh ( 663417 ) <abacaxi&hotmail,com> on Monday June 02, 2003 @06:45AM (#6094535)
    "Data" in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver's license number, account number, debit or credit card information."

    And do pfishers have to tell California residents when they have stolen their credit card information?

    • Another thing that bothers me about this is the "account number" thing. What happens if you're at a Blockbuster and your account number is PRINTED ON THE RECIEPT and someone looks at it. If that is what constitutes "interception of unencrypted data" then I fear for the future. Of course, with the current laws outlawing honeypots and VPNs, now we have a law that forces us to report intruders, and another law forbiding us to detect or protect against intruders. Fantastic. God bless America. Time to move
  • Worldwide law (Score:5, Insightful)

    by Fembot ( 442827 ) on Monday June 02, 2003 @06:47AM (#6094541)
    "Even more compelling, this law applies worldwide, to any company doing business in the state,"

    I doubt they're gonnna go round extraditing people for this.. probably just pick them up at the airport or somthing

    And anotherthing... How exactly will you know if there has been a security breach? If I send data unencrypted anyone at any ISP along the way could potentialy be listening in without me ever knowing.
    • Re:Worldwide law (Score:5, Insightful)

      by kaltkalt ( 620110 ) on Monday June 02, 2003 @08:00AM (#6094961)
      It is very disingenuous to say it "applies worldwide" without noting that it applies to worldwide companies who are "doing business" in the state.

      As long as a company is doing business in the state, "doing business" defined as: having a registered agent in the state of California, having a physical office, contracting to do business with vendors in the state (parts manufacturers, suppliers), or having retail outlets in the state[.]

      If the company is purposely availing themselves in california, taking advantage of california laws in running its business (i.e. it gets to use CA laws to enforce its contracts, use california police to prevent its outlets from being robbed, etc.) then it is perfectly fair for the company to have to obey this law. If you are selling something on ebay it doesn't apply to you, so don't worry. This only applies to people who intentionally and knowningly do business in the state. Nobody who this law applies to is going to be shocked that "woah california laws apply to me?" They know or should know.
      • What if you've never set foot in the states, and all of your product is sold in Taiwan to a Taiwanese company? The Taiwanese company opens a branch office in the US and either uses your product as a part or rebadges your product and sells it in the US. Some of that product makes its way to California. Does this mean that you have to abide by California Law? I'm sure multinational companies will at least have some indirect connection to the US and perhaps to California. How many degrees of separation d
        • Damn...good point. What happens in that situation? I would assume that since the first company (the manufacturer) doesn't have a storefront or an agent in CA, then the law does not apply, since there's no way to track resellings. What happens if you sell your CDs to a pawn shop and then someone accesses your address book or something? The law is very vague and not well thought out.
        • Your scenario is practically just like the Asahi Metal case. 480 U.S. 102 (very important SCOTUS personal jurisdiction case). The answer is clearly no, assuming it's not part of the deal for the Taiwanese company to open an office in the US and sell your products in California. There's no "degree of separation" test, though. It's a matter of what a company does directed at the forum state. Did they advertise there? Do they have an office there? Do they have retail outlets there? Do they have agents t
  • Bad idea... (Score:5, Insightful)

    by Anonymous Coward on Monday June 02, 2003 @06:58AM (#6094586)
    With the economy going like it is, I doubt the businesses can afford to spend the time monitoring for this sort of situation. Not to mention the ill-will this will generate among customers.

    From what I've read, most companies realize that hackers are simply in it for kicks and don't bother notifying the customer because it just causes a lot of panic. Forcing them to report every single time their web page is defaced is going to cost them a lot of business.

    • Read the article (Score:5, Insightful)

      by Mark Bainter ( 2222 ) on Monday June 02, 2003 @08:28AM (#6095164)
      The law does not require them to report every time their web page is defaced.

      "Data" in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver's license number, account number, debit or credit card information. The caveat being that the data acquired has to be non-encrypted. Should a security breach occur to a database housing encrypted customer data, the law does not apply.

      Defacing a webpage doesn't fall under this law. Nor does it fall under this law if hackers only look at proprietary information about the business, financial statements whatever.

      This is purely notification for customers when customer information has been illegally accessed.

  • *All* breaches? (Score:4, Insightful)

    by 42forty-two42 ( 532340 ) <bdonlan@g m a i l . c om> on Monday June 02, 2003 @07:00AM (#6094595) Homepage Journal
    What if you don't know about it?
  • by jabbadabbadoo ( 599681 ) on Monday June 02, 2003 @07:02AM (#6094601)
    I don't see Microsoft moving HQ to California any time soon.
    • To Whom it May Concern:

      On June 26, a middle level manager at our company opened an email claiming that a friend had sent him something "for him to see." This manager opened the email in Outlook Express. Approximately two hours later, the entire network was shut down, all of our databases were open to any traffic that wished to view it, and every computer in the department was forced to spend the rest of the day with a picture of a woman having sexual intercourse with a horse for a desktop image.

      We a
  • by BrynM ( 217883 ) * on Monday June 02, 2003 @07:08AM (#6094634) Homepage Journal
    I can see a whole bunch of managers cutting their security budgets right now. I assume that they have to find the breach before it can be reported...so... don't find security breaches. If the managers/executives/powers-that-be decide that the data is too general (like addresses and such), then why should they monitor the security and risk such a public exposure. "We have only had to announce three security breaches this month compared to our (honest) competitor who has had twenty-four. Wouldn't you rather do business with us?"

    At least the article is geared to being honest.

    • by poot_rootbeer ( 188613 ) on Monday June 02, 2003 @10:08AM (#6095953)
      I assume that they have to find the breach before it can be reported...so... don't find security breaches.

      Any security professional employed by a reputable company will cough and sputter at the idiocy of such a suggestion.

      Of course, that doesn't preclude bean-counters or decision-makers from higher up from forcing such a policy into effect anyway...
    • I agree that this would be the first PHB inclination.

      The California law does not void the standing legal principles of "due dilligence" and "due care".

      Due Care means, basically, that a manager can be held liable for loss or damages, when provisions were not made to prevent them. The standard used is "measures a reasonable person would take, given the facts."
      Due Dilligence covers the loophole in "given the facts". This means a "reasonable effort" to ascertain the nature of risks, and appropriate countermeasures.

      • I think any manager cought doing this would play dumb and blame the admins and techs though. I personally have had higher-up tell me not to cc them on things or not to fully explain something just so they could play dumb without cracking a smile (not at my current job though). When I worked sales, we had a hand signal to give the manager when you just wanted him/her to say "no" dramatically to a customer request. I would say something like "Let me go ask my manager" and as I walked up to the manager I wo
        • Yes. I see this too!

          IANAL, but I have to deal in the legal issues which justify Information Security posture... When this counts - once someone sues you.

          The lawyers for the opposition demand a paper-trail demonstrating that principles of Due Care were observed in the handling of information, and in securing hosts and networks. No paper-trail of invoices, policies, memos, staff assignments, etc.? Willful negligence

          • I agree that this WILL get ugly for the exec who uses such tactics, but without a framework of what "Due Care" is, the system will be abused until a horrifying example is made of someone. Sadly, I fear it's the tech who will be blamed for not informing upper management "properly", ie: in a way for the non-technical to understand like drawing a picture and tatooing "We were hacked, We're screwed. Love, Tom the Tech." across an exec's forehead. There's just waaayyyy to much wiggle room for an exec to use t
            • Yeah - Probably the Sr. Techs who will be on the line. In a non-dysfunctional corporate culture, you'd want Directors and VP's who'd rely on tech staff to provide the expert technology advice for dilligence and care.

              In reality these people are more often "facing-up" on budgets, etc. They won't improve process 'til they get their fingers burned. First time: fire your staff. Second time: try and get the new staff to avoid a second-time!

    • + 5 Insightfull????
      + 5 Insightfull????

      this should be +100 Fucking "on the money"

      hope your gona buy a lotto ticket today BrynM
    • This probably won't happen because there are other laws { Graham-Leach-Bliley (GLB), etc.} that require the organization to take reasonable measures to comply. That means that if you play dumb and cut your security budget, you'll likely lose a legal battle if your organization gets sued for disseminating CA resident non-public information. Regulated industries like Financials or Healthcare (read HIPAA) also have yearly audit requirements that could go badly if basic steps requirements are not met.

      You can
      • I hadn't though of this tied to HIPAA. This could get ugly for small businesses as well as corporations then. There are lots of small pharmacies, dentists and doctors offices that don't even adequately firewall their internet connection or know how to patch software and operating systems, let alone secure them. They are only now learning of these things in a panic because the first HIPAA deadline is here. With this legislation, they can forget their plans on "easing in" HIPAA compliance as the various d
    • Well I wouldn't go that far... If it happends enough CC ocmanies will add it all togther and notify the companies/press about the breach.. and customers will find out that thier data has been posted on the internet for 4 months before they were notified :) Just the threat of that should make IT managers utilize atleast ROT13 style encryption :)
  • by Larthallor ( 623891 ) on Monday June 02, 2003 @07:23AM (#6094715)
    This law seems to be intended to make it more than just good customer service to notify Californians when someone has potentially stolen their identifying information (Name, SSN, etc.) by hacking your company's weak-ass system.

    In fact, there is a provision that the law doesn't apply if you store the customer's data in an encrypted format. The clear intent of this is to provide an incentive to companies to start storing encrypted data, in the belief that if the data is "stolen" it will be useless to the thief. Of course, this seems to be a provision that is geared more to guard against physical theft of persistant storage, as it probably wouldn't help if the system is actually rooted and the decryption keys become compromised or the part of the system that is up/downstream of the crypt routines is hijacked.

    In any case, this seems designed to force companies to take their (Californian) customers' personal information's security a bit more seriously than many seem to and is probably part of a more comprehensive effort to prevent identity theft in general.

    In my opinion, this law (or one like it) is a Good Thing (tm).
    • In my opinion, this law (or one like it) is a Good Thing (tm).

      I'm not so sure. I have mixed emotions. On one hand, it's a good thing for companies to have to notify customers of an actual breech because it will require them to take data security seriously and take actual steps to prevent theft or at least make the theft of the data useless to a thief.

      The problem is that this extends to all companies worldwide. Honestly, I don't see how this can be avoided, but it further sets the precedent that the laws of one locality's whim affect the whole 'Net. That's a problem from a censorship standpoint especially in this politically correct age where anything offensive is basically considered okay to censor.

      If people in say that blogs are offensive to them and anyone who runs a blog is subject to some sort of fine or tax on blogs, then Slashdot and various users that have journals on Slashdot could end up having to pay said fine or tax to people that locality. It sounds far-fetched, but it's laws like this that slowly erode away individual rights that will eventually lead to the death of the 'Net as we know it.

      Of course, I could just be talking completely out my ass and have no idea what I'm saying because IANAL, so take this with a grain of salt if you will.

      So yeah, it IS a good thing don't get me wrong, but the vagueness of the law combined with it's supposed worldwide reach do have me a little concerned.
      • If people in say that blogs are offensive to them and anyone who runs a blog is subject to some sort of fine or tax on blogs, then Slashdot and various users that have journals on Slashdot could end up having to pay said fine or tax to people that locality. It sounds far-fetched, but it's laws like this that slowly erode away individual rights that will eventually lead to the death of the 'Net as we know it.

        Fortunately, the First Amendment would probably keep this kind of flippant taxation from ever work

        • Fortunately, the First Amendment would probably keep this kind of flippant taxation from ever working. Becides, perhaps I could put a disclaimer on my blog: "Do not read if you are in the following locales: x, y, z".

          Yeah, because the first amendment has done such a wonderful job preventing laws like the DMCA from being passed.

      • See here [slashdot.org] for a good assessment of why the "worldwide" scope isn't really overreaching.
    • LOL... This bill was probably lobbied by Encryption companies like RSA and the such :)
  • Dear Microsoft Customre,

    Due to event A, please update your OS or buy winXP to secure your data..

    Thanks,

    Billie Goat Gates
  • by zogger ( 617870 ) on Monday June 02, 2003 @07:39AM (#6094802) Homepage Journal
    Any rookie lawyer has an open season on this one. It is so vague as to be almost useless. Reads more like IT "feelgood" legislation. It is somewhat well intentioned, but way vague. I understand the intent, this is obvious, but those darn pesky details are always the bugger. Encrypted data? That means *any* encryption technique.(note, maybe they have a codofied definition of that, if so, that would change things) A directory name written in pig latin would might fly as an example of that. "eekritsay ustomercay ataday hisawaytay" And notification? Postcard to someone -> "Hey, vern, looks like someone got your stuff, you should have been more careful, donchaknow". And as pointed out, it really would be much cheaper for companies now to not give a care about security, it actually encourages them to *not find out* about breaches. It's a variant of "don't ask, we won't look, so no one has to tell". Of course the counter argument would be like "well, then businesses would face possible loss when customers found out on their own, and the word got around, and etc". Sounds nice, doesn't work / hasn't worked in the real world so far though.

    I don't see this radically changing things though, I expect that most companies will continue more or less like they are now. Possible exception might be some really large companies would have to individually notify all their licensed users with any security related bug shows up, because once THEY have been notified of an exploit that has been used,not just proposed theoretically but used, it would *seem* to mandate they must notify their thousands or millions of customers, per the description of who is doing business inside the state. Technically anything discovered in house applies, realistically, perhaps some shredding might happen if it looks like a bad breech occurred, cyber shredding and paper shredding, as a more cost effective solution. Or just a canned response, "we have discovered a minor security breech, our crack team of professionals have fixed the problem" whatnot. who knoweth....

    Probably take several examples before case law sorts this out, or it might be challenged and dropped on the first case as too vague and unenforceable.
    • Of course, in addition to the excellent points made by Zogger, I'd like to point out how useless this law is as it relates to the real issue

      For every company falling under this law's jurisdiction that is large enough to have an IT staff and its own servers, there are probably 100 that buy shared hosting and shopping cart services from 3rd party vendors. So, in those much more prevalent situations, who is responsible for notifying the end customer? Is it the server farm owner, the server farm customer, or

      • Looks like the potential for some serious buck passing here, with everyone pointing fingers--> upstream to the companies, who will then turn around and point this way --> code and sales jocks.

        Ya all devgeeks, LOOKOUT! CYA over there in cal, DOCUMENT THE LIVING HECK out of whatever you do know if it involves "cash" and "customer data" downstream anyplace.

        lawyers/legislators -gotta love 'em! At least THEY know how to profit in a recession! heh heh heh

        Idea! EVERYONE IN THE KNOWN UNIVERSE get a law deg
  • by Quila ( 201335 ) on Monday June 02, 2003 @07:54AM (#6094914)
    If only "...acquisition of computerized data in non-encrypted form by an unauthorized person" had been "...by a person not authorized by the company."

    Technically they might have to, by law, inform you of all those secret searches being carried out under the TREASON - er - PATRIOT act, which forbids them from informing you.

    The agents would be authorized by law, but not by the company.
  • by GrandCow ( 229565 ) on Monday June 02, 2003 @07:59AM (#6094956)
    Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer

    To: someoneinCA@aol.com
    Subject: Grow your penis 10 inches in less than a day!

    Greetings fellow soon to be elephant sized penis man. Let me take the time to tell you about a GUARANTEED and PROVEN method we've developed over 30 years to work perfectly the first time and give you up to 10 inches more in your member's length! All you have to do is realize that your wildest dream is about to come true and just click on our website and order our system! Under Civil Code 1798.82 your information was downloaded illegally by a hacker on July 10, 2003. Act now!

    • Re:I can see it now (Score:5, Interesting)

      by GrandCow ( 229565 ) on Monday June 02, 2003 @08:04AM (#6094997)
      Actually... now that I think about it, I could possibly see a spam company getting with a large corporation, setting up a false break in, and sending the email to everyone in the company with their product (which was required by law to be sent) with the security breach message at the bottom.

      "Just trying to save you some time by combining these 2 emails into 1"

  • Wow! (Score:3, Funny)

    by Pig Hogger ( 10379 ) <pig.hogger@gmail ... m minus caffeine> on Monday June 02, 2003 @08:36AM (#6095217) Journal
    Does this means that Microsoft will pull-out of California???
  • by Anonymous Coward on Monday June 02, 2003 @08:41AM (#6095260)
    ... to spam their customers?

    -----------------

    Dear valued customer (and CA taxpayer),

    I send you this letter to ask for your advice.

    Recently we had a security breach, and it is believed that your email address, social security and drivers license were all stolen.

    We know this is probably a bad thing, but we're not really sure. Anyway, while you're reading this letter, why not try some Viagra?

    Sincerely,

    Your Electric Company
  • by LO0G ( 606364 ) on Monday June 02, 2003 @08:49AM (#6095307)
    If you read the article, it doesn't say ANYTHING about reporting security HOLES (of which Microsoft is plenty guilty).

    It says about reporting security BREACHES.

    Which is a whole 'nother ball of wax.

    If Microsoft had their customer accounts database hacked, then they'd have to notify customers, not if there's a security hole in their product.

    On the other hand, if your bank used Microsoft products and because of a security hole in the product, a hacker got access to their data, then they'd have to report this to their customers in California. Which would make them ticked off at Microsoft. And.....

    Oh, and I disagree with at least one comment in the article - the article indicates that all you need to do is to encrypt your data to be safe from reporting under the law. The little I've read seems to indicate that if you feed the information to the hacker in a form he can read, you're vulnerable. So if your database is encrypted but you decrypt it before sending it to the customer (or hacker), you're toast.
    Similarly, if you send the data to the hacker over an SSL connection, you're toast - the hacker can decrypt the data on the connection.
  • Will this level of encryption suffice?

    http://ccwf.cc.utexas.edu/~eclectic/toys/jive.html [utexas.edu]
  • by WC as Kato ( 675505 ) on Monday June 02, 2003 @09:49AM (#6095803)

    Remember when Slashdot reported [slashdot.org] that the State of California got a database hacked and had the identity of all of their government employee's data comprimised?

    So with this law, the State of California would notify their employees that hackers have their data. Well, technically they did what they are proposing. Too bad this was after the Sacramento Bee newspaper reported [sacbee.com] it first! At least they provide a government link [ca.gov] for help.

    When this law passes, the State of California should sue themselves into compliance!

    • That very incident was the reason this new law was introduced. It took the State three months or more before notifying the employees that their personnel files had been hacked.

      They won't be able to do that anymore, and claim they needed the time to investigate the incident.
  • So...
    What they're saying is basically if I "encrypt" everything I store with rot13 then when someone breaks in and steals [insert favorite sensitive bit of data here] from my database I dont have to say a thing to anyone - after all, it was encrypted....

    DUH!!!!!! /~mikeg
    • No, the California law looks at the question of whether data is encrypted on a post-hoc basis. That is to say, if the encryption system is broken, then the notice requirement is triggered. A low level encryption is fine - unless it is broken. DoD level security systems don't get you out of the notice requirement if they are in fact broken.

      The more ambiguous question is whether a company "reasonably believes" a breach has occured. If there's a breach, but the data was encrypted, is it reasonable to bel

  • One thing that came up in policy planning discussion is that this does not apply strictly to databases. (IANAL, but this came from the Legal department.)

    If you were to make a hard copy document that includes the relevant personal information (think employee records), the piece of paper is covered by this law. Unauthorized access to the document would trigger the reporting requirements. Access to the unencrypted information is being regulated.

    Hopefully non-techs are being told to lock file cabinets and
  • Now I have an excuse to encrypt everything AND stop doing business with California!

    The first - just because. The second because this will benefit California lawyers more than any consumer. It means they can sue a Michigan company just because they sold something to someone in California once, and lawyers just love to jump on a case like that and bust someone for millions.

    And since there is no effective prosecution of hackers, the company winds up getting screwed both ways.
  • Maybe companies will FINALLY encript their data. Virtually every break-in and theft of data I have ever read about would have been a non-story had they simply used encryption, even if using a 33 year old algorithm. Instead, there was no accountability, and thus no need to take common sence measures.

    Now, there is.
  • Keep in mind this guy does have a financial interest in making sure that companies prepare for SB 1386, but with that said there's a pretty good reasource here [strongauth.com]. The FAQ goes over the basics pretty well and there's a good leagalese to english translation.

    (Side note, I saw this guy speak at one of the Silicon Valley chapter ISSA [issa.org] meetings. The tone everyone had, especially from the Medical IT guys like myself, was this is going to be a HUGE headache next time a big worm comes around.)

    Cheers,

    -E2
  • So revelation of first & last names, plus an account number, stored unencrypted, is a trigger, huh? What's an "account number"? Does the law define it? If I cat /etc/passwd, does the sysadmin have to notify everybody?

    Damn.

  • Can anyone explain to me why I see this news on BBC, but not on CNN? Is it a sort of censorship or most of Americans don't think it's a news worth of reading?

    A review [bbc.co.uk] into the detention of hundreds of foreign nationals in the United States following the 11 September 2001 attacks has found significant problems in the way they were handled.

    The report, by the inspector general of the US Justice Department, says some of the detainees were held in unduly harsh conditions and were subject to abuse.

    The repo

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.

Working...