Firewall Wizards mailing list archives

Re: Flawed Surveys [was: VPN endpoints]

From: Abe Singer <abe () sdsc edu>
Date: Fri, 3 Sep 2004 15:35:18 -0700

From: MHawkins () TULLIB COM [mailto:MHawkins () TULLIB COM]
Subject: RE: [fw-wiz] Re: Flawed Surveys [was: VPN endpoints]

Message: 7

Mike,

Mike - In CA all public companies must disclose any security breaches.


This is not true. Security breaches WHERE CUSTOMER INFORMATION was
compromised must be reported.


Is you are referring to legislation commonly know as SB1386, this too
is not quite accurate.

(disclaimer:  IANAL, but I have read the text of the bill)

The law requires that any breach of security of, i.e. exposure of, "personal
information" (defined below) be, and this is important: disclosed to
the *person whose information was exposed.*

And that in turn is limited to CA residents.  Not to the general public,
and not to non-residents who may have had information exposed.

Now the upshot is that often ends up resulting in a public disclosure,
but the company complying may choose to just quietly notify the residents
affected.

The term "personal information" is quite specifically defined as  the
person's name in *combination* with one of the following:  Social Security
number, driver's license, state ID, or  credit card/debit card/account
number plus any PIN required for access.

Furthermore, the law only applies to disclosure of "unencrypted"
information.  However, it does not define allowed methods of encryption.
Theoretically one could rot13 the data and consider it encrypted.
(no comment on rot26)

CA's legislation primarily is intended to indirectly protect privacy.


The law was written, not as a privacy law, but to address identify
theft (and yes, you could argue that privacy is part of ID theft, but
I'm talking about the actual text of the law). By requiring companies
that handle information used in identity theft to notify individuals
that their information had been exposed, those potential victimes have
an opportunity to take measures to protect themselves.

Furthermore, the law provides a shield to liability to the company
who discloses -- a victim of ID theft can extract some civil penalties
from a company who fails to disclose, by suing them and proving that
the information was exposed.  There is no criminal penalty for failing
to disclose a breach.


For those who actually dig reading the law, the text of the bill as
passed can be found here:

    http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Re: Flawed Surveys [was: VPN endpoints], (continued)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Don Parker (Sep 01)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Crispin Cowan (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Stephen P. Berry (Sep 04)
- RE: Re: Flawed Surveys [was: VPN endpoints] MHawkins (Sep 03)
  - Re: Re: Flawed Surveys [was: VPN endpoints] Adam Shostack (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Stailey, Mike (Sep 03)
- RE: Re: Flawed Surveys [was: VPN endpoints] Paul D. Robertson (Sep 03)
  - RE: Re: Flawed Surveys [was: VPN endpoints] Bill Royds (Sep 04)
- Re: Flawed Surveys [was: VPN endpoints] Abe Singer (Sep 04)