Firewall Wizards mailing list archives
Re: Flawed Surveys [was: VPN endpoints]
From: Abe Singer <abe () sdsc edu>
Date: Fri, 3 Sep 2004 15:35:18 -0700
From: MHawkins () TULLIB COM [mailto:MHawkins () TULLIB COM] Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]
Message: 7 Mike,Mike - In CA all public companies must disclose any security breaches.This is not true. Security breaches WHERE CUSTOMER INFORMATION was compromised must be reported.
Is you are referring to legislation commonly know as SB1386, this too is not quite accurate. (disclaimer: IANAL, but I have read the text of the bill) The law requires that any breach of security of, i.e. exposure of, "personal information" (defined below) be, and this is important: disclosed to the *person whose information was exposed.* And that in turn is limited to CA residents. Not to the general public, and not to non-residents who may have had information exposed. Now the upshot is that often ends up resulting in a public disclosure, but the company complying may choose to just quietly notify the residents affected. The term "personal information" is quite specifically defined as the person's name in *combination* with one of the following: Social Security number, driver's license, state ID, or credit card/debit card/account number plus any PIN required for access. Furthermore, the law only applies to disclosure of "unencrypted" information. However, it does not define allowed methods of encryption. Theoretically one could rot13 the data and consider it encrypted. (no comment on rot26)
CA's legislation primarily is intended to indirectly protect privacy.
The law was written, not as a privacy law, but to address identify theft (and yes, you could argue that privacy is part of ID theft, but I'm talking about the actual text of the law). By requiring companies that handle information used in identity theft to notify individuals that their information had been exposed, those potential victimes have an opportunity to take measures to protect themselves. Furthermore, the law provides a shield to liability to the company who discloses -- a victim of ID theft can extract some civil penalties from a company who fails to disclose, by suing them and proving that the information was exposed. There is no criminal penalty for failing to disclose a breach. For those who actually dig reading the law, the text of the bill as passed can be found here: http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Flawed Surveys [was: VPN endpoints], (continued)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Don Parker (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Crispin Cowan (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Stephen P. Berry (Sep 04)
- RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 03)
- Re: Re: Flawed Surveys [was: VPN endpoints] Adam Shostack (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Bill Royds (Sep 04)
- Re: Flawed Surveys [was: VPN endpoints] Abe Singer (Sep 04)