[EMAIL PROTECTED]
> Been with a reasonable number of General Counsels
> on this sort of thing.  Maybe you can blame them
> and not SB1386 for saying that if you cannot prove
> the data didn't spill then it is better corporate
> risk management to act as if it did spill.

Well, are you sure you haven't confused what they're saying about SOX, vs
what they're saying about SB1386?  It's easy for me to believe that they'd
say this about SOX, but the plain language of SB1386 seems pretty clear.

(It would also be easy for me to believe that a General Counsel would
say that if you have knowledge of a breach of security in one of your
systems and reason to believe that an unauthorized individual gained
access to personal information as a result, then you must assume that
you have to notify every person whose data was stored in the system and
who may have been affected by the breach, unless you can prove that those
persons weren't affected by that breach.  But that's very different from
how you characterized SB1386.)

If General Counsels are really saying that SB1386 requires you to act
as if data has spilled, even in absence of any reason whatsoever to
think there has been any kind of security breach or unauthorized access,
merely because you don't have proof that it hasn't spilled -- then yes,
that does sound strange to me.  That is not my understanding of the
intent of SB1386, and it is not what the language of SB1386 seems to say.

Then again, maybe your General Counsels know something that I don't;
it's always possible that the text of the law is misleading, or that
I'm missing something.  They're the legal experts, not me.

Personally, my suggestion is as follows: The next time that a General
Counsel claims to you that SB1386 requires you to assume data has spilled
(even in absence of any reason to believe there has been a security
breach) until you can prove to the contrary, I suggest you quote from
the text of SB1386, and let us know how they respond.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to