Security Incidents mailing list archives
California State Bill SB1386
From: "Steve Zenone" <zenone () cats ucsc edu>
Date: Fri, 21 Mar 2003 17:03:14 -0800
Hello, This message is in regards to getting clarification on what to do in the event of a breach per SB1386. Starting on July 1, 2003, California State Bill SB1386 will become operative. From a technical InfoSec perspective, I am unclear about a section of the bill. In a nutshell, to quote from the original bill text, SB1386 will... "require a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." The unclear part is the use of the word "unencrypted". For example, can someone jokingly use ROT13 to encrypt data and say, "hey - it's encrypted!"? % cat data | tr 'a-zA-Z' 'n-za-mN-ZA-M' > encrypted In other words, what defines encryption so as to satisfy this bill's requirements? Secondly, What if I have an encrypted database, however, an "attacker" is able to monitor the plaintext traffic over http from the front-end webserver (which is fed data from the encrypted DB) to the remote browser client. Obviously, there is a breach. The "attacker" isn't getting the entire database. Rather, they're able to get session specific plaintext packet dumps. If the breach occurred on my network, I take it that this would need to be disclosed per the bill. What if the breach occurred outside of my network and affected sessions between my network and provider XYZ. Does the bill still require me to disclose? This is hypothetical. Of course, it would make more sense using https as opposed to http. However, for the sake of trying to get clarification, I tossed out the above example. Last example, what if the data moves over the Net via SSL to a remote user's workstation where it is then stored unencrypted. If the user's system is compromised and the data is "acquired by an unauthorized person", where do we go based upon the requirements of SB1386? Thanks in advance for your insight. SB1386 original text: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html Regards, Steve ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- California State Bill SB1386 Steve Zenone (Mar 22)
- RE: California State Bill SB1386 Jonathan A. Zdziarski (Mar 24)
- RE: California State Bill SB1386 Steve Zenone (Mar 24)
- RE: California State Bill SB1386 Jonathan A. Zdziarski (Mar 26)
- Re: California State Bill SB1386 Rodrigo Barbosa (Mar 26)
- RE: California State Bill SB1386 System Administrator (Mar 26)
- Re: California State Bill SB1386 Anders Reed Mohn (Mar 26)
- Re: California State Bill SB1386 Cliff Gilley (System Admin, HolyElvis.com) (Mar 28)
- RE: California State Bill SB1386 Steve Zenone (Mar 24)
- RE: California State Bill SB1386 Jonathan A. Zdziarski (Mar 24)
- <Possible follow-ups>
- RE: California State Bill SB1386 Rohrer, Mark E (Mar 26)