New law forces companies to warn consumers of computer security holes

[InfoSec News <isn () c4i org>]

http://www.signonsandiego.com/news/computing/20030623-0003-ca-wevebeenhacked.html

By Rachel Konrad
ASSOCIATED PRESS
June 23, 2003

SAN JOSE - California consumers will learn next month whether their 
favorite shopping sites are steeled against computer fraud - or haunts 
of hackers and identity thieves. 

Starting July 1, companies must warn California customers of security 
holes in their corporate computer networks. When a retailer discovers 
its credit card numbers have been stolen, it must e-mail customers, 
essentially saying, "We've been hacked, and the hacker may have your 
credit card number." 

Local politicians call the regulation the first of its kind in the 
United States, and it could become the model for a nationwide law. 
U.S. Sen. Dianne Feinstein plans to introduce similar legislation 
within a month. 

"Corporate and government databases are increasingly becoming targets 
of identity thieves seeking Social Security numbers and other 
sensitive personal data," the California Democrat said in an e-mail. 
"Under current law, all too often people are unaware that an identity 
thief has gained this information and may be using it to run up credit 
card bills or use it to manufacture a new identity." 

California's new regulation contrasts with the Bush administration's 
hands-off treatment of the technology industry, particularly when it 
comes to controversial e-commerce issues such as privacy and fraud. 

Although the FBI and Federal Trade Commission have hunted down Web 
site operators involved in fraudulent sales and auctions, proponents 
of the laissez-faire approach worry that regulations would hamper 
innovation in a fledgling industry. 

"You cannot legislate good behavior," said eBay chief security officer 
Howard Schmidt, who resigned this spring as a top cybersecurity 
adviser to President Bush. "The administration's policy was not to 
look to legislation or regulation to improve security but to look to 
market forces to drive it." 

But many technology executives and legal experts applaud the bold 
attempt to crack down on identity theft, one of the fastest growing 
crimes. 

The U.S. Postal Service reports that 50,000 people a year have become 
victims of identity theft, and the U.S. Treasury Department says 
thieves ring up $2 billion to $3 billion per year on stolen credit 
cards alone. As victims expend hours or days canceling debit and 
credit cards, obtaining new ones and re-establishing accounts and 
passwords, corporate America loses billions of dollars more in 
productivity. 

Proponents say the California bill makes executives more accountable 
for computer fraud. It doesn't impose specific monetary fines, but the 
regulation makes companies with questionable computer networks more 
vulnerable to lawsuits and public scorn. 

"It's a wake-up call for companies to make major, across-the-board 
changes in every part of the company," said Nick Akerman, an attorney 
specializing in computer fraud in the New York office of Dorsey & 
Whitney. "Companies are afraid to report breaches because they think 
it reflects badly on them, and they don't want the bad publicity of 
becoming known as a company that's been hacked into. This bill says, 
'You can't continue business as usual.'" 

The regulation applies to any company that stores data electronically 
and does business in California. Companies must alert customers 
whenever "unencrypted personal information was, or is reasonably 
believed to have been, acquired by an unauthorized person." 

The bill defines "personal information" as an individual's first name 
or initial and last name, with one of the following: Social Security 
number; driver's license number; state identification number; or 
credit or debit card account number and security code. 

Except when disclosure would impede a criminal investigation, 
companies must notify consumers "in the most expedient time possible," 
with an e-mail or letter. 

If a hacker gains access to data for 500,000 or more customers, the 
company might have to notify people through e-mail, a "conspicuous" 
posting on a Web site and disclosure to a major media outlet. 

Some say the bill does for computer security what the Sarbanes-Oxley 
Act tried to do for accounting. Bush signed it into law in 2002 after 
scandals at Enron and WorldCom as an attempt to legislate corporate 
ethics by making companies disclose shortcomings in financial 
reporting. 

"Before the regulation, you would have had an 'Oh, my God' response 
and worried maybe that your boss would get angry with you," Matt 
Stevens, a vice president at Walpole, Mass.-based database security 
company Network Intelligence, said of the California bill. "Now 
there's a corporate malfeasance issue." 

Amazon.com, Land's End, REI and numerous other companies with 
extensive databases would not comment on the bill. Dell Computer, 
which sells 50 percent of its goods online, said it applauds the 
regulation. 

"This legislation codifies what we've had in place for a long time," 
spokeswoman Cathie Hargett said. "In those very, very rare cases we 
believe customer information has been compromised, we tracked who was 
affected ... and alerted them by e-mail - simply because we think it's 
good business practice. They appreciate the notification." 

Sending e-mails to customers is daunting, but sending alerts to 
newspapers and wire services truly panics e-commerce executives, said 
Peggy Weigle, chief executive of Santa Clara-based security company 
Sanctum Inc. The regulation would treat computer vulnerabilities like 
automobile recalls - critical safety data that must not be kept from 
the public. 

"The public has been under the impression that the transactions 
they're doing online are really secure," Weigle said. "That's because 
most businesses don't call up the San Francisco Chronicle and say, 'We 
just had a quarter million credit cards stolen.' That info never sees 
the light of day - until this regulation takes effect." 

Nearly half of the 530 companies and government agencies polled in 
January by the FBI and San Francisco-based Computer Security Institute 
acknowledged their networks had been the victim of an unauthorized, 
internal hacker in the past year, and unauthorized outsiders 
penetrated more than one in three companies. 

It's unclear whether the alarming level of computer fraud will result 
in so many warnings that consumers ignore them. 

Andy Carvin, an e-commerce enthusiast in Washington, D.C., would like 
a national version of the California bill. Carvin discovered his 
credit card information was stolen two years ago, when Visa called to 
ask whether he ordered $3,000 in personal computers and moved to the 
Philippines. He suspects a hacker stole data during an online 
transaction. 

"It would have been great if one of the airlines where I had bought 
tickets or Amazon.com or MacWarehouse had sent a letter with some 
useful advice," Carvin said. "I'd feel they wanted to help me." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.