Computer Break-Ins: Your Right to Know

[InfoSec News <isn () c4i org>]

Forwarded from: "eric wolbrom, CISSP" <eric () shtech net>

http://www.businessweek.com/technology/content/nov2002/tc20021111_2402.htm

By Alex Salkever 
SECURITY NET 
NOVEMBER 11, 2002 

In April, 2002, hackers broke into the payroll database for the state
of California. For more than a month, cybercriminals rooted around in
the personal information of 265,000 Golden State employees, ranging
from Governor Gray Davis to maintenance workers and clerks.

Worse, the California Controller's Office, which ran the database,
failed to notify state employees for more than two weeks after the
breach was discovered. Although officials with the Controller's office
insisted the break-in probably hadn't resulted in any significant
harm, the incident enraged Golden State pols and employees, whose
Social Security numbers, bank account information, and home addresses
were fair game for the hackers.

This lapse sparked what may mark a dramatic shift in legal policy
toward cybersecurity. Over strenuous objections from the business
lobby, on Sept. 26 California enacted a sweeping measure that mandates
public disclosure of computer-security breaches in which confidential
information may have been compromised. The law covers not just state
agencies but private enterprises doing business in California. Come
July 1, 2003, those who fail to disclose that a breach has occurred
could be liable for civil damages or face class actions.

LEAPFROGGING D.C.  According to legal experts, this is the first state
law of its kind. And because of California's size and prominent role
in the high-tech industry, it could create a de facto national
disclosure policy. What's more, the California law leapfrogs efforts
by industry and White House cybersecurity chief Richard Clarke to
create an amnesty policy designed to encourage companies to share
information about breaches with law enforcement. That policy, which is
written into the still-pending House version of the Homeland Security
Act, would exempt from the U.S. Freedom of Information Act any
information about security breaches that's shared with the federal
government.

I think the California law is long overdue. In far too many instances,
companies and governments have kept mum after they were hacked,
seeking to preserve their reputations and avoid public outcry while
their customers face risk of identity theft. Computer-security
breaches must be treated like any other issue of public safety, and
people must be informed when they're at risk.

The bill cuts to the quick of what has been an extremely contentious
issue in the computer-security field. Businesses and many
law-enforcement personnel argue that disclosing security breaches to
the public could affect legal cases and disrupt investigations. It
also would make companies more reluctant to share information on
cyberattacks -- making it harder to fight hackers.

NUISANCE SUITS.  "Because businesses currently fear sharing
information about cyberattacks, they're holding information back.  
Because of that, we're less equipped at the government level and the
industry level to figure out where our vulnerabilities are great and
how to address them," says Mario Correa, director of Internet and
security policy for the Business Software Alliance, a high-tech trade
group.

Legal experts fear that the law could unleash a torrent of nuisance
litigation. "A statute like California's is going to give rise to
untold number of class actions, some of them created by aggressive
plaintiff lawyers," says Jeffrey D. Neuburger, an expert in technology
law and a partner at New York City firm Brown Raysman Millstein Felder
&amp; Steiner. "It won't serve the public's interest."

Consumer groups strongly disagree. Consumer Union, the self-styled
advocacy group that helped craft the California bill, argues that if
the public doesn't know what's going on, people can't protect
themselves from crimes such as identity theft and credit-card fraud.  
Even if it appears that a breach hasn't resulted in major exposures of
critical information, such as Social Security or bank-account numbers,
the reality is that it's impossible to know for sure whether intruders
have grabbed any sensitive data.

THE NET REMEMBERS.  "We can't protect ourselves if we don't know
what's being done with our information," says Gail Hillebrand, a
senior attorney at CU. She rightly points out that timely notification
would allow victims to warn the three big credit-reporting agencies to
watch out for strange activity on their accounts or to give victims
time to request a new driver's license or credit-card number, or open
a new bank account.

The Internet's elephantine memory is also a concern. Nothing that
makes it onto the Net in a digital format ever really disappears. "As
our information exists in more databases, we are exposed to more risks
of identity theft," says Hillebrand. She thinks a salutary benefit of
the legislation would be companies and agencies putting a higher
priority on data security and taking more preventive action. "We
always hear there will be litigation, but the best way to avoid
litigation is to have good prevention in place," says Hillebrand.

Most businesses that get hacked surely do the right thing and inform
customers. Also, the idea of allowing companies to quietly share
technical information on breaches with investigators clearly has
merit. In some instances, law enforcement's claims that full
disclosure will ruin investigations are valid. For that reason, the
California law includes a clause suspending full disclosure if such a
move would harm an investigation.

Under any other circumstance, however, the public's right to know
should trump a company or government's right to save face or money.


_______________________________________________________________________
eric wolbrom, CISSP                     Safe Harbor Technologies
President & CIO                         190 Goldens Bridge Ct.
Voice 914.767.9090 ext. 6000            Katonah, NY 10536
Fax   914.767.3911                              http://www.shtech.net
_______________________________________________________________________



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.