On Tue, Jul 11, 2006 at 05:50:06PM -0700, David Wagner wrote:
No, it doesn't. I think you've got it backwards. That's not what SB1386
says. SB1386 says that if a company conducts business in Caliornia and
has a system that includes personal information stored in unencrypted from
and if that company discovers or is notified of a breach of the security
that system, then the company must notify any California resident whose
unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. [*]
A small, but very significant correction. The law says any breach of the
security of the data, not security of the system.
The more explicit paragraph is in 1798.82(b)
(b) Any person or business that maintains computerized data that
includes personal information that the person or business does not
own shall notify the owner or licensee of the information of any
breach of the security of the data immediately following discovery,
if the personal information was, or is reasonably believed to have
been, acquired by an unauthorized person.
And even though the code has already stated such, it further goes on
to define security of the system in 1798.82(d):
(d) For purposes of this section, breach of the security of the
system means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of personal
information maintained by the person or business. [...]
If you know or are notified that the security of your system has been
breached and if you know or have some reason to believe that someone
has received unauthorized access to unencrypted personal information
about California residents, then sure, you have to act on the presumption
that the personal information was spilled. So what? That seems awfully
reasonable to me.
reasonable is for a judge or jury to decide. A lawyer's job is to do
what's the the best interests of the client, and in this circumstance,
make a determination of what will be considered reasonable in court.
And ask three lawyers a question, you'll get at least four opinions. (the
same can be said for security geeks).
But ultimately, what the lawyer is deciding is what's going to cost the
client less: disclosure or possibly penatly of non-disclosure. They'll
often opt for the former to avoid the possibility high cost of the latter.
I've been on and around the pointy end of this stick (and no,
not any publicized events). If unauthorized access cannot clearly
be substatiated, it becomes a judgement call, based on a variety of
factors. Factors might include duration between compromise and discovery
(e.g. they've been on the system so long that we just can't tell anymore),
intruder activities, etc.
In short, my reading of SB1386 is that companies only have to notify
customers if (a) they know or are notified of a security breach and
(b) they know or have reason to believe that this breach led to an
unauthorized disclosure of personal information. In other words, SB1386
treats companies as innocent until there is some reason to believe that
they are guilty. I don't know anything about SOX, but I think you've
mis-characterized SB1386. Don't tar SB1386 with SOX-feathers.
SB1386 doesn't spell out guilt or innocence. It just provides a liability
shield for a company who complies with it, and spells out punitive
damages for failing to comply.
A company could make the decision that the penalty for non-disclosure
is less than it would cost otherwise, and choose to keep quiet and hope
for the best.
[*] This is pretty close to an direct quote from Section 1798.82(a)
of California law. See for yourself:
Better yet, go directly to the California Code (Civil Code Section):
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]