California State Bill SB1386

["Steve Zenone" <zenone () cats ucsc edu>]

Hello,

This message is in regards to getting clarification on what 
to do in the event of a breach per SB1386.

Starting on July 1, 2003, California State Bill SB1386 will 
become operative. From a technical InfoSec perspective, I
am unclear about a section of the bill.

In a nutshell, to quote from the original bill text, SB1386
will...

 "require a state agency, or a person or business that 
  conducts business in California, that owns or licenses 
  computerized data that includes personal information, 
  as defined, to disclose in specified ways, any breach of
  the security of the data, as defined, to any  resident 
  of California whose unencrypted personal information 
  was, or is reasonably believed to have been, acquired 
  by an unauthorized person." 

The unclear part is the use of the word "unencrypted".
For example, can someone jokingly use ROT13 to encrypt 
data and say, "hey - it's encrypted!"?

 % cat data | tr 'a-zA-Z' 'n-za-mN-ZA-M' > encrypted

In other words, what defines encryption so as to satisfy
this bill's requirements?

Secondly, What if I have an encrypted database, however,
an "attacker" is able to monitor the plaintext traffic over 
http from the front-end webserver (which is fed data from
the encrypted DB) to the remote browser client. Obviously,
there is a breach. The "attacker" isn't getting the entire
database. Rather, they're able to get session specific 
plaintext packet dumps. If the breach occurred on my 
network, I take it that this would need to be disclosed 
per the bill. What if the breach occurred outside of my 
network and affected sessions between my network and
provider XYZ. Does the bill still require me to disclose?

This is hypothetical. Of course, it would make more sense
using https as opposed to http. However, for the sake of
trying to get clarification, I tossed out the above example.

Last example, what if the data moves over the Net via SSL 
to a remote user's workstation where it is then stored
unencrypted. If the user's system is compromised and
the data is "acquired by an unauthorized person", where
do we go based upon the requirements of SB1386? 

Thanks in advance for your insight.

SB1386 original text:
 http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Regards,
Steve


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>