Return-Path: <sentto-279987-5364-1037398755-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 15 Nov 2002 14:38:28 -0800 (PST) Received: (qmail 2698 invoked by uid 511); 15 Nov 2002 22:36:38 -0000 Received: from n40.grp.scd.yahoo.com (66.218.66.108) by all.net with SMTP; 15 Nov 2002 22:36:38 -0000 X-eGroups-Return: sentto-279987-5364-1037398755-fc=all.net@returns.groups.yahoo.com Received: from [66.218.66.97] by n40.grp.scd.yahoo.com with NNFMP; 15 Nov 2002 22:19:15 -0000 X-Sender: azb@llnl.gov X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_2_3_0); 15 Nov 2002 22:19:14 -0000 Received: (qmail 7627 invoked from network); 15 Nov 2002 22:19:14 -0000 Received: from unknown (66.218.66.217) by m14.grp.scd.yahoo.com with QMQP; 15 Nov 2002 22:19:14 -0000 Received: from unknown (HELO smtp-2.llnl.gov) (128.115.250.82) by mta2.grp.scd.yahoo.com with SMTP; 15 Nov 2002 22:19:14 -0000 Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id OAA11012 for <iwar@yahoogroups.com>; Fri, 15 Nov 2002 14:19:10 -0800 (PST) Received: from [128.115.222.68] (HELO catalyst2b.llnl.gov) by poptop.llnl.gov (CommuniGate Pro SMTP 3.5.9) with ESMTP id 5904861 for iwar@yahoogroups.com; Fri, 15 Nov 2002 14:19:13 -0800 Message-Id: <5.0.0.25.2.20021115141908.03daf140@poptop.llnl.gov> X-Sender: e048786@poptop.llnl.gov X-Mailer: QUALCOMM Windows Eudora Version 5.0 To: iwar@yahoogroups.com From: Tony Bartoletti <azb@llnl.gov> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 15 Nov 2002 14:22:00 -0800 Subject: [iwar] California Enacts Cyber-Intrusion Reporting Requirements. Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit California enacts cyber-intrusion reporting requirements. >Computer Break-Ins: Your Right to Know; >California law now demands that the public be informed when government or >corporate databases are breached. It's about time >Copyright 2002 The McGraw-Hill Companies, Inc. All Rights Reserved >Business Week Online...11/11/2002 > >Alex Salkever > >In April, 2002, hackers broke into the payroll database for the state of >California. For more than a month, cybercriminals rooted around in the >personal information of 265,000 Golden State employees, ranging from Governor >Gray Davis to maintenance workers and clerks. > >Worse, the California Controller's Office, which ran the database, failed to >notify state employees for more than two weeks after the breach was >discovered. Although officials with the Controller's office insisted the >break-in probably hadn't resulted in any significant harm, the incident >enraged Golden State pols and employees, whose Social Security numbers, bank >account information, and home addresses were fair game for the hackers. > >This lapse sparked what may mark a dramatic shift in legal policy toward >cybersecurity. Over strenuous objections from the business lobby, on Sept. 26 >California enacted a sweeping measure that mandates public disclosure of >computer-security breaches in which confidential information may have been >compromised. The law covers not just state agencies but private enterprises >doing business in California. Come July 1, 2003, those who fail to disclose >that a breach has occurred could be liable for civil damages or face class >actions. > >LEAPFROGGING D.C. According to legal experts, this is the first state law of >its kind. And because of California's size and prominent role in the >high-tech industry, it could create a de facto national disclosure policy. >What's more, the California law leapfrogs efforts by industry and White House >cybersecurity chief Richard Clarke to create an amnesty policy designed to >encourage companies to share information about breaches with law enforcement. >That policy, which is written into the still-pending House version of the >Homeland Security Act, would exempt from the U.S. Freedom of Information Act >any information about security breaches that's shared with the federal >government. > >I think the California law is long overdue. In far too many instances, >companies and governments have kept mum after they were hacked, seeking to >preserve their reputations and avoid public outcry while their customers face >risk of identity theft. Computer-security breaches must be treated like any >other issue of public safety, and people must be informed when they're at >risk. > >The bill cuts to the quick of what has been an extremely contentious issue in >the computer-security field. Businesses and many law-enforcement personnel >argue that disclosing security breaches to the public could affect legal >cases and disrupt investigations. It also would make companies more reluctant >to share information on cyberattacks -- making it harder to fight hackers. > >NUISANCE SUITS. "Because businesses currently fear sharing information about >cyberattacks, they're holding information back. Because of that, we're less >equipped at the government level and the industry level to figure out where >our vulnerabilities are great and how to address them," says Mario Correa, >director of Internet and security policy for the Business Software Alliance, >a high-tech trade group. >Legal experts fear that the law could unleash a torrent of nuisance >litigation. "A statute like California's is going to give rise to untold >number of class actions, some of them created by aggressive plaintiff >lawyers," says Jeffrey D. Neuburger, an expert in technology law and a >partner at New York City firm Brown Raysman Millstein Felder & Steiner. "It >won't serve the public's interest." > >Consumer groups strongly disagree. Consumer Union, the self-styled advocacy >group that helped craft the California bill, argues that if the public >doesn't know what's going on, people can't protect themselves from crimes >such as identity theft and credit-card fraud. Even if it appears that a >breach hasn't resulted in major exposures of critical information, such as >Social Security or bank-account numbers, the reality is that it's impossible >to know for sure whether intruders have grabbed any sensitive data. > >THE NET REMEMBERS. "We can't protect ourselves if we don't know what's being >done with our information," says Gail Hillebrand, a senior attorney at CU. >She rightly points out that timely notification would allow victims to warn >the three big credit-reporting agencies to watch out for strange activity on >their accounts or to give victims time to request a new driver's license or >credit-card number, or open a new bank account. > >The Internet's elephantine memory is also a concern. Nothing that makes it >onto the Net in a digital format ever really disappears. "As our information >exists in more databases, we are exposed to more risks of identity theft," >says Hillebrand. She thinks a salutary benefit of the legislation would be >companies and agencies putting a higher priority on data security and taking >more preventive action. "We always hear there will be litigation, but the >best way to avoid litigation is to have good prevention in place," says >Hillebrand. > >Most businesses that get hacked surely do the right thing and inform >customers. Also, the idea of allowing companies to quietly share technical >information on breaches with investigators clearly has merit. In some >instances, law enforcement's claims that full disclosure will ruin >investigations are valid. For that reason, the California law includes a >clause suspending full disclosure if such a move would harm an investigation. > Under any other circumstance, however, the public's right to know should >trump a company or government's right to save face or money. Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Share the magic of Harry Potter with Yahoo! Messenger http://us.click.yahoo.com/4Q_cgB/JmBFAA/46VHAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-12-31 12:01:54 PST