[fw-wiz] Re: Flawed Surveys [was: VPN endpoints]

From: Abe Singer (abe_at_sdsc.edu)
Date: 09/04/04

  • Next message: Marcus J. Ranum: "[fw-wiz] The State of Information Security, 2004 (survey)" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 3 Sep 2004 15:35:18 -0700

    From: MHawkins@TULLIB.COM [mailto:MHawkins@TULLIB.COM]
    Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]

    > Message: 7
    >
    > Mike,
    >
    > > Mike - In CA all public companies must disclose any security breaches.
    >
    > This is not true. Security breaches WHERE CUSTOMER INFORMATION was
    > compromised must be reported.

    Is you are referring to legislation commonly know as SB1386, this too
    is not quite accurate.

    (disclaimer: IANAL, but I have read the text of the bill)

    The law requires that any breach of security of, i.e. exposure of, "personal
    information" (defined below) be, and this is important: disclosed to
    the *person whose information was exposed.*

    And that in turn is limited to CA residents. Not to the general public,
    and not to non-residents who may have had information exposed.

    Now the upshot is that often ends up resulting in a public disclosure,
    but the company complying may choose to just quietly notify the residents
    affected.

    The term "personal information" is quite specifically defined as the
    person's name in *combination* with one of the following: Social Security
    number, driver's license, state ID, or credit card/debit card/account
    number plus any PIN required for access.

    Furthermore, the law only applies to disclosure of "unencrypted"
    information. However, it does not define allowed methods of encryption.
    Theoretically one could rot13 the data and consider it encrypted.
    (no comment on rot26)

    > CA's legislation primarily is intended to indirectly protect privacy.

    The law was written, not as a privacy law, but to address identify
    theft (and yes, you could argue that privacy is part of ID theft, but
    I'm talking about the actual text of the law). By requiring companies
    that handle information used in identity theft to notify individuals
    that their information had been exposed, those potential victimes have
    an opportunity to take measures to protect themselves.

    Furthermore, the law provides a shield to liability to the company
    who discloses -- a victim of ID theft can extract some civil penalties
    from a company who fails to disclose, by suing them and proving that
    the information was exposed. There is no criminal penalty for failing
    to disclose a breach.

    For those who actually dig reading the law, the text of the bill as
    passed can be found here:

        http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "[fw-wiz] The State of Information Security, 2004 (survey)"

    Relevant Pages

    • More than VMS is required, but VMS is a great starting point
      ... California's New Rules Of Disclosure ... State law will force companies nationwide to make security breaches ... they must inform those customers of the breach. ... Of 376 organizations polled for the 2003 Computer Security ...
      (comp.os.vms)
    • Re: Paranoia is the new Black
      ... turn you in to Homeland Security!! ... enforcers who teach their congregations to "obey the government." ... The video to your right is a shocking KSLA news report which confirms ... government in the event of a declaration of martial law. ...
      (alt.gathering.rainbow)
    • [Full-Disclosure] GOOD: A legal fix for software flaws?
      ... A legal fix for software flaws? ... "The serious proposals to change software law have primarily ... been to reduce software vendors' liability even further. ... Microsoft's security practices have been in the spotlight before over ...
      (Full-Disclosure)
    • Re: Vulnerabilites in new laws on computer hacking
      ... Future generations of security "experts" will be among ... Having less strict law doesn't give you real advantage, ... And, if you're up to penetration, there's no law to ... barbarian country, for example. ...
      (Bugtraq)
    • New project without training or tools was Re: Any comments? (Answers to Pete)
      ... They've sent us as representatives to meet with top ... enough to talk to a lawyer. ... Security is a zoo under the best of circumstances but in this case, ... A security expert must be on your team as must an expert in HIPPA law ...
      (comp.lang.cobol)