Politech mailing list archives

Previous By Date Next
Previous By Thread Next

FC: Problems with California's "you've been hacked" law

From: Declan McCullagh <declan () well com>
Date: Mon, 14 Jul 2003 10:34:32 -0400
[If enough people cared to know about whether their email accounts have been hacked, some bright entrepreneur would probably figure this out and launch such a service in hopes of getting rich. Because that hasn't happened, I'd guess that people probably don't care as much as politicians think, or, alternatively, existing ISPs' policies may suffice. For instance, The Well notified me after some miscreants compromised my account and John Markoff's and the accounts of a few other journalists (this was years ago). --Declan] 

---

Date: Sun, 13 Jul 2003 21:36:49 -0700 (PDT)
From: No Thanks <foogert99 () yahoo com>
Subject: California Privacy Law
To: declan () well com

Greetings, Declan.
Perhaps I missed it, but I'm not sure that I've seen any Politech coverage of the new California Privacy Law that requires companies to notify their customers if personal information is stolen, or is believed to have been stolen, by "hackers".
This law, which was introduced into the California Senate as SB 1386, and became California Civil Code 1798.82 on July 1 2003, has been widely reported as requiring companies to notify their customers of a security breach that resulted in the disclosure of "customer information" to unauthorized third parties.
Notably, Senator Dianne Feinstein recently introduced a similar bill into the US Senate, seeking to create a national law based on the California policy. The US Senate bill is number SB 1350, and is reassuringly titled "The Notification of Risk to Personal Data Act."
I initially believed that this law required companies to notify us if they believed that *any* of our "customer information" had been stolen. And I've read a number of articles in the technology press applauding the law, since it seems to support transparency and disclosure, and because it puts some responsibility and liability on the shoulders of those whose inaction make security breaches possible in the first place.
But before we start celebrating, I'd like to encourage you and your readers to read the actual text of the California law, which is available in PDF format at the URL below. Unless I'm reading it wrong (IANAL), the only "customer information" protected by this law is social security number, driver's license number, or credit card/bank account number.
I was pretty surprised by that, and I'm surprised that none of the coverage that this got in the technology press pointed out the loophole this leaves. For example, if somebody hacks my HMO and steals all my medical records, the HMO wouldn't be required to notify me, unless my SSN# was also stolen!
Or, if somebody (god forbid) cracked Hotmail, and downloaded all my email, including the password reminder my bank sent me - they wouldn't have to notify me of that, either.
I had thought that this law might be useful for going after companies who refuse to acknowledge or address security vulnerabilities in their software, or companies whose boneheaded customer service practices leave them open to social engineering exploits. Admittedly, I have an axe to grind on the latter count, as the author of the "full disclosure" site referenced below.
But, it seems this law has no relevance to that matter, or any other security breach that isn't the direct precursor to identity theft in the conventional sense. I think that's something that everybody should know about the California law, and also about the opportunity that would be missed by Senator Feinstein's bill, should that become a nationwide law.
CA Senate Bill 1386: <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html>http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
SJ Mercury News Article (says the law requires notification if companies "even suspect that hackers or others have gained unauthorized access to customer information"): <http://www.bayarea.com/mld/mercurynews/business/6209059.htm>http://www.bayarea.com/mld/mercurynews/business/6209059.htm
PC World Article on SB 1386: <http://www.pcworld.com/news/article/0,aid,110678,00.asp>http://www.pcworld.com/news/article/0,aid,110678,00.asp
Full Disclosure of DirecTV Customer Privacy Exploit: <http://www.geocities.com/foogert99/>http://www.geocities.com/foogert99/ 




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
-------------------------------------------------------------------------
To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
Declan McCullagh's photographs are at http://www.mccullagh.org/
Like Politech? Make a donation here: http://www.politechbot.com/donate/
-------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: