[iwar] California Enacts Cyber-Intrusion Reporting Requirements.

From: Tony Bartoletti (azb@llnl.gov)
Date: 2002-11-15 14:22:00


Return-Path: <sentto-279987-5364-1037398755-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 15 Nov 2002 14:38:28 -0800 (PST)
Received: (qmail 2698 invoked by uid 511); 15 Nov 2002 22:36:38 -0000
Received: from n40.grp.scd.yahoo.com (66.218.66.108) by all.net with SMTP; 15 Nov 2002 22:36:38 -0000
X-eGroups-Return: sentto-279987-5364-1037398755-fc=all.net@returns.groups.yahoo.com
Received: from [66.218.66.97] by n40.grp.scd.yahoo.com with NNFMP; 15 Nov 2002 22:19:15 -0000
X-Sender: azb@llnl.gov
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-8_2_3_0); 15 Nov 2002 22:19:14 -0000
Received: (qmail 7627 invoked from network); 15 Nov 2002 22:19:14 -0000
Received: from unknown (66.218.66.217) by m14.grp.scd.yahoo.com with QMQP; 15 Nov 2002 22:19:14 -0000
Received: from unknown (HELO smtp-2.llnl.gov) (128.115.250.82) by mta2.grp.scd.yahoo.com with SMTP; 15 Nov 2002 22:19:14 -0000
Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id OAA11012 for <iwar@yahoogroups.com>; Fri, 15 Nov 2002 14:19:10 -0800 (PST)
Received: from [128.115.222.68] (HELO catalyst2b.llnl.gov) by poptop.llnl.gov (CommuniGate Pro SMTP 3.5.9) with ESMTP id 5904861 for iwar@yahoogroups.com; Fri, 15 Nov 2002 14:19:13 -0800
Message-Id: <5.0.0.25.2.20021115141908.03daf140@poptop.llnl.gov>
X-Sender: e048786@poptop.llnl.gov
X-Mailer: QUALCOMM Windows Eudora Version 5.0
To: iwar@yahoogroups.com
From: Tony Bartoletti <azb@llnl.gov>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Fri, 15 Nov 2002 14:22:00 -0800
Subject: [iwar] California Enacts Cyber-Intrusion Reporting Requirements.
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit


California enacts cyber-intrusion reporting requirements.


>Computer Break-Ins: Your Right to Know;
>California law now demands that the public be informed when government or
>corporate databases are breached. It's about time
>Copyright 2002 The McGraw-Hill Companies, Inc. All Rights Reserved
>Business Week Online...11/11/2002
>
>Alex Salkever
>
>In April, 2002, hackers broke into the payroll database for the state of
>California. For more than a month, cybercriminals rooted around in the
>personal information of 265,000 Golden State employees, ranging from Governor
>Gray Davis to maintenance workers and clerks.
>
>Worse, the California Controller's Office, which ran the database, failed to
>notify state employees for more than two weeks after the breach was
>discovered. Although officials with the Controller's office insisted the
>break-in probably hadn't resulted in any significant harm, the incident
>enraged Golden State pols and employees, whose Social Security numbers, bank
>account information, and home addresses were fair game for the hackers.
>
>This lapse sparked what may mark a dramatic shift in legal policy toward
>cybersecurity. Over strenuous objections from the business lobby, on Sept. 26
>California enacted a sweeping measure that mandates public disclosure of
>computer-security breaches in which confidential information may have been
>compromised. The law covers not just state agencies but private enterprises
>doing business in California. Come July 1, 2003, those who fail to disclose
>that a breach has occurred could be liable for civil damages or face class
>actions.
>
>LEAPFROGGING D.C. According to legal experts, this is the first state law of
>its kind. And because of California's size and prominent role in the
>high-tech industry, it could create a de facto national disclosure policy.
>What's more, the California law leapfrogs efforts by industry and White House
>cybersecurity chief Richard Clarke to create an amnesty policy designed to
>encourage companies to share information about breaches with law enforcement.
>That policy, which is written into the still-pending House version of the
>Homeland Security Act, would exempt from the U.S. Freedom of Information Act
>any information about security breaches that's shared with the federal
>government.
>
>I think the California law is long overdue. In far too many instances,
>companies and governments have kept mum after they were hacked, seeking to
>preserve their reputations and avoid public outcry while their customers face
>risk of identity theft. Computer-security breaches must be treated like any
>other issue of public safety, and people must be informed when they're at
>risk.
>
>The bill cuts to the quick of what has been an extremely contentious issue in
>the computer-security field. Businesses and many law-enforcement personnel
>argue that disclosing security breaches to the public could affect legal
>cases and disrupt investigations. It also would make companies more reluctant
>to share information on cyberattacks -- making it harder to fight hackers.
>
>NUISANCE SUITS. "Because businesses currently fear sharing information about
>cyberattacks, they're holding information back. Because of that, we're less
>equipped at the government level and the industry level to figure out where
>our vulnerabilities are great and how to address them," says Mario Correa,
>director of Internet and security policy for the Business Software Alliance,
>a high-tech trade group.
>Legal experts fear that the law could unleash a torrent of nuisance
>litigation. "A statute like California's is going to give rise to untold
>number of class actions, some of them created by aggressive plaintiff
>lawyers," says Jeffrey D. Neuburger, an expert in technology law and a
>partner at New York City firm Brown Raysman Millstein Felder & Steiner. "It
>won't serve the public's interest."
>
>Consumer groups strongly disagree. Consumer Union, the self-styled advocacy
>group that helped craft the California bill, argues that if the public
>doesn't know what's going on, people can't protect themselves from crimes
>such as identity theft and credit-card fraud. Even if it appears that a
>breach hasn't resulted in major exposures of critical information, such as
>Social Security or bank-account numbers, the reality is that it's impossible
>to know for sure whether intruders have grabbed any sensitive data.
>
>THE NET REMEMBERS. "We can't protect ourselves if we don't know what's being
>done with our information," says Gail Hillebrand, a senior attorney at CU.
>She rightly points out that timely notification would allow victims to warn
>the three big credit-reporting agencies to watch out for strange activity on
>their accounts or to give victims time to request a new driver's license or
>credit-card number, or open a new bank account.
>
>The Internet's elephantine memory is also a concern. Nothing that makes it
>onto the Net in a digital format ever really disappears. "As our information
>exists in more databases, we are exposed to more risks of identity theft,"
>says Hillebrand. She thinks a salutary benefit of the legislation would be
>companies and agencies putting a higher priority on data security and taking
>more preventive action. "We always hear there will be litigation, but the
>best way to avoid litigation is to have good prevention in place," says
>Hillebrand.
>
>Most businesses that get hacked surely do the right thing and inform
>customers. Also, the idea of allowing companies to quietly share technical
>information on breaches with investigators clearly has merit. In some
>instances, law enforcement's claims that full disclosure will ruin
>investigations are valid. For that reason, the California law includes a
>clause suspending full disclosure if such a move would harm an investigation.
>  Under any other circumstance, however, the public's right to know should
>trump a company or government's right to save face or money.


Tony Bartoletti 925-422-3881 <azb@llnl.gov>
Information Operations and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Share the magic of Harry Potter with Yahoo! Messenger
http://us.click.yahoo.com/4Q_cgB/JmBFAA/46VHAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2002-12-31 12:01:54 PST