[EMAIL PROTECTED] > Been with a reasonable number of General Counsels > on this sort of thing. Maybe you can blame them > and not SB1386 for saying that if you cannot prove > the data didn't spill then it is better corporate > risk management to act as if it did spill.
Well, are you sure you haven't confused what they're saying about SOX, vs what they're saying about SB1386? It's easy for me to believe that they'd say this about SOX, but the plain language of SB1386 seems pretty clear. (It would also be easy for me to believe that a General Counsel would say that if you have knowledge of a breach of security in one of your systems and reason to believe that an unauthorized individual gained access to personal information as a result, then you must assume that you have to notify every person whose data was stored in the system and who may have been affected by the breach, unless you can prove that those persons weren't affected by that breach. But that's very different from how you characterized SB1386.) If General Counsels are really saying that SB1386 requires you to act as if data has spilled, even in absence of any reason whatsoever to think there has been any kind of security breach or unauthorized access, merely because you don't have proof that it hasn't spilled -- then yes, that does sound strange to me. That is not my understanding of the intent of SB1386, and it is not what the language of SB1386 seems to say. Then again, maybe your General Counsels know something that I don't; it's always possible that the text of the law is misleading, or that I'm missing something. They're the legal experts, not me. Personally, my suggestion is as follows: The next time that a General Counsel claims to you that SB1386 requires you to assume data has spilled (even in absence of any reason to believe there has been a security breach) until you can prove to the contrary, I suggest you quote from the text of SB1386, and let us know how they respond. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]