Re: Revising CA breach law (SB 20)

[security curmudgeon <jericho () attrition org>]

I am replying to Sasha's post, as well as B.K.'s question directed toward 
OSF.

: What I find most interesting are the arguments opposed (2nd to last
: paragraph). Not that I believe them, necessarily, but that it would be a

: Legislation would mandate breach notification content and centralized reporting

: Second, the proposed changes would centralize reporting of data breach 
: notification for certain breaches with the state Attorney General. The 
: statute would require any agency, business, or individual required to 
: issue a security breach notification to more than 500 California 
: residents as a result of a single breach to electronically submit that 
: notification to the state Attorney General. Several other state laws 
: already require centralized reporting to the state's attorney general.

B.K. wrote:
= Since they're doing FOIAs, I'd be curious what folks from the
= DatalossDB/OSF think of the proposed changes.

The difference we see when making a FOIA request against a state with 
centralized reporting and one without is distinct. For example, my request 
to Colorado (who has no centralized reporting) yielded 5 results, all of 
which we had in our database. It didn't include incidents that I was 
personally affected by in Colorado.

Dave has received upwards of *800* documents from at least one, if not two 
states, that have centralized reporting. Those FOIA requests end up 
yielding new information that we had no record of.

: Opponents of the legislation include the Association of California 
: Insurance Companies, the California Bankers Association, the California 
: Business Properties Association, the California Chamber of Commerce, the 
: California Financial Service Association, the California Mortgage 
: Bankers Association, Experian, the Personal Insurance Federation of 
: California, State Farm, the State Privacy and Security Coalition, and 
: Tech America.

Thank you for the list of businesses and agencies that clearly don't care 
about consumer rights. No surprise at some of those names.

: Opponents of the legislation assert that requiring breach notifications 
: to include the contact information for credit bureaus misleads consumers 
: into thinking that identity theft will occur, which is not necessarily 
: true. 

Seriously? The option to give consumers information to be more aware and 
diligent in monitoring their credit versus the supposed fear it induces 
that their information may be misused. Wow.. 

: Opponents also question whether it is necessary for individual consumers 
: to receive notification of the number of affected individuals. 

They question, but don't provide a solid reason this is 'bad'?

: Finally, the opponents claim that disclosing the date and size of the 
: breach will allow hackers to determine that a particular method of 
: attack was successful and that an attack on a certain database is likely 
: to yield a certain amount of personal information.

This is absurd. The date and size of the breach do nothing to indicate the 
method of the attack. News articles that report the basics, that 
DatalossDB tracks (e.g., lost tape, outside hack, inside theft) give 
information on the method.

These are the weakest justifications for not making such information 
available I can imagine.


_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss