[ISN] Computer Break-Ins: Your Right to Know

From: InfoSec News (isnat_private)
Date: Mon Nov 11 2002 - 22:56:48 PST

  • Next message: InfoSec News: "[ISN] The Myth of Cyberterrorism"

    Forwarded from: "eric wolbrom, CISSP" <ericat_private>
    By Alex Salkever 
    NOVEMBER 11, 2002 
    In April, 2002, hackers broke into the payroll database for the state
    of California. For more than a month, cybercriminals rooted around in
    the personal information of 265,000 Golden State employees, ranging
    from Governor Gray Davis to maintenance workers and clerks.
    Worse, the California Controller's Office, which ran the database,
    failed to notify state employees for more than two weeks after the
    breach was discovered. Although officials with the Controller's office
    insisted the break-in probably hadn't resulted in any significant
    harm, the incident enraged Golden State pols and employees, whose
    Social Security numbers, bank account information, and home addresses
    were fair game for the hackers.
    This lapse sparked what may mark a dramatic shift in legal policy
    toward cybersecurity. Over strenuous objections from the business
    lobby, on Sept. 26 California enacted a sweeping measure that mandates
    public disclosure of computer-security breaches in which confidential
    information may have been compromised. The law covers not just state
    agencies but private enterprises doing business in California. Come
    July 1, 2003, those who fail to disclose that a breach has occurred
    could be liable for civil damages or face class actions.
    LEAPFROGGING D.C.  According to legal experts, this is the first state
    law of its kind. And because of California's size and prominent role
    in the high-tech industry, it could create a de facto national
    disclosure policy. What's more, the California law leapfrogs efforts
    by industry and White House cybersecurity chief Richard Clarke to
    create an amnesty policy designed to encourage companies to share
    information about breaches with law enforcement. That policy, which is
    written into the still-pending House version of the Homeland Security
    Act, would exempt from the U.S. Freedom of Information Act any
    information about security breaches that's shared with the federal
    I think the California law is long overdue. In far too many instances,
    companies and governments have kept mum after they were hacked,
    seeking to preserve their reputations and avoid public outcry while
    their customers face risk of identity theft. Computer-security
    breaches must be treated like any other issue of public safety, and
    people must be informed when they're at risk.
    The bill cuts to the quick of what has been an extremely contentious
    issue in the computer-security field. Businesses and many
    law-enforcement personnel argue that disclosing security breaches to
    the public could affect legal cases and disrupt investigations. It
    also would make companies more reluctant to share information on
    cyberattacks -- making it harder to fight hackers.
    NUISANCE SUITS.  "Because businesses currently fear sharing
    information about cyberattacks, they're holding information back.  
    Because of that, we're less equipped at the government level and the
    industry level to figure out where our vulnerabilities are great and
    how to address them," says Mario Correa, director of Internet and
    security policy for the Business Software Alliance, a high-tech trade
    Legal experts fear that the law could unleash a torrent of nuisance
    litigation. "A statute like California's is going to give rise to
    untold number of class actions, some of them created by aggressive
    plaintiff lawyers," says Jeffrey D. Neuburger, an expert in technology
    law and a partner at New York City firm Brown Raysman Millstein Felder
    &amp; Steiner. "It won't serve the public's interest."
    Consumer groups strongly disagree. Consumer Union, the self-styled
    advocacy group that helped craft the California bill, argues that if
    the public doesn't know what's going on, people can't protect
    themselves from crimes such as identity theft and credit-card fraud.  
    Even if it appears that a breach hasn't resulted in major exposures of
    critical information, such as Social Security or bank-account numbers,
    the reality is that it's impossible to know for sure whether intruders
    have grabbed any sensitive data.
    THE NET REMEMBERS.  "We can't protect ourselves if we don't know
    what's being done with our information," says Gail Hillebrand, a
    senior attorney at CU. She rightly points out that timely notification
    would allow victims to warn the three big credit-reporting agencies to
    watch out for strange activity on their accounts or to give victims
    time to request a new driver's license or credit-card number, or open
    a new bank account.
    The Internet's elephantine memory is also a concern. Nothing that
    makes it onto the Net in a digital format ever really disappears. "As
    our information exists in more databases, we are exposed to more risks
    of identity theft," says Hillebrand. She thinks a salutary benefit of
    the legislation would be companies and agencies putting a higher
    priority on data security and taking more preventive action. "We
    always hear there will be litigation, but the best way to avoid
    litigation is to have good prevention in place," says Hillebrand.
    Most businesses that get hacked surely do the right thing and inform
    customers. Also, the idea of allowing companies to quietly share
    technical information on breaches with investigators clearly has
    merit. In some instances, law enforcement's claims that full
    disclosure will ruin investigations are valid. For that reason, the
    California law includes a clause suspending full disclosure if such a
    move would harm an investigation.
    Under any other circumstance, however, the public's right to know
    should trump a company or government's right to save face or money.
    eric wolbrom, CISSP                     Safe Harbor Technologies
    President & CIO                         190 Goldens Bridge Ct.
    Voice 914.767.9090 ext. 6000            Katonah, NY 10536
    Fax   914.767.3911                              http://www.shtech.net
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 02:02:55 PST