On Tue, Jul 11, 2006 at 05:50:06PM -0700, David Wagner wrote:
> No, it doesn't.  I think you've got it backwards.  That's not what SB1386
> says.  SB1386 says that if a company conducts business in Caliornia and
> has a system that includes personal information stored in unencrypted from
> and if that company discovers or is notified of a breach of the security
> that system, then the company must notify any California resident whose
> unencrypted personal information was, or is reasonably believed to have
> been, acquired by an unauthorized person. [*]

A small, but very significant correction.  The law says "any breach of the 
security of the data," not "security of the system."

The more explicit paragraph is in 1798.82(b)

   (b) Any person or business that maintains computerized data that
   includes personal information that the person or business does not
   own shall notify the owner or licensee of the information of any
   breach of the security of the data immediately following discovery,
   if the personal information was, or is reasonably believed to have
   been, acquired by an unauthorized person.

And even though the code has already stated such, it further goes on
to define "security of the system" in 1798.82(d):

   (d) For purposes of this section, "breach of the security of the
   system" means unauthorized acquisition of computerized data that
   compromises the security, confidentiality, or integrity of personal
   information maintained by the person or business. [...]

> If you know or are notified that the security of your system has been
> breached and if you know or have some reason to believe that someone
> has received unauthorized access to unencrypted personal information
> about California residents, then sure, you have to act on the presumption
> that the personal information was spilled.  So what?  That seems awfully
> reasonable to me.

"reasonable" is for a judge or jury to decide.  A lawyer's job is to do
what's the the best interests of the client, and in this circumstance,
make a determination of what will be considered "reasonable" in court.
And ask three lawyers a question, you'll get at least four opinions. (the
same can be said for security geeks).

But ultimately, what the lawyer is deciding is what's going to cost the
client less: disclosure or possibly penatly of non-disclosure.  They'll
often opt for the former to avoid the possibility high cost of the latter.

I've been on and around the pointy end of this stick (and no,
not any publicized events).  If unauthorized access cannot clearly
be substatiated, it becomes a judgement call, based on a variety of
factors.  Factors might include duration between compromise and discovery
(e.g. they've been on the system so long that we just can't tell anymore),
intruder activities, etc.

> In short, my reading of SB1386 is that companies only have to notify
> customers if (a) they know or are notified of a security breach and
> (b) they know or have reason to believe that this breach led to an
> unauthorized disclosure of personal information.  In other words, SB1386
> treats companies as innocent until there is some reason to believe that
> they are guilty.  I don't know anything about SOX, but I think you've
> mis-characterized SB1386.  Don't tar SB1386 with SOX-feathers.

SB1386 doesn't spell out guilt or innocence.  It just provides a liability
shield for a company who complies with it, and spells out punitive
damages for failing to comply.

A company could make the decision that the penalty for non-disclosure
is less than it would cost otherwise, and choose to keep quiet and hope
for the best.

> [*] This is pretty close to an direct quote from Section 1798.82(a)
> of California law.  See for yourself:
> http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Better yet, go directly to the California Code (Civil Code Section):


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to