[ISN] New law forces companies to warn consumers of computer security holes

From: InfoSec News (isnat_private)
Date: Mon Jun 23 2003 - 23:24:48 PDT

  • Next message: InfoSec News: "[ISN] Feds Form Anti-Terror E-Posse"

    http://www.signonsandiego.com/news/computing/20030623-0003-ca-wevebeenhacked.html
    
    By Rachel Konrad
    ASSOCIATED PRESS
    June 23, 2003
    
    SAN JOSE - California consumers will learn next month whether their 
    favorite shopping sites are steeled against computer fraud - or haunts 
    of hackers and identity thieves. 
    
    Starting July 1, companies must warn California customers of security 
    holes in their corporate computer networks. When a retailer discovers 
    its credit card numbers have been stolen, it must e-mail customers, 
    essentially saying, "We've been hacked, and the hacker may have your 
    credit card number." 
    
    Local politicians call the regulation the first of its kind in the 
    United States, and it could become the model for a nationwide law. 
    U.S. Sen. Dianne Feinstein plans to introduce similar legislation 
    within a month. 
    
    "Corporate and government databases are increasingly becoming targets 
    of identity thieves seeking Social Security numbers and other 
    sensitive personal data," the California Democrat said in an e-mail. 
    "Under current law, all too often people are unaware that an identity 
    thief has gained this information and may be using it to run up credit 
    card bills or use it to manufacture a new identity." 
    
    California's new regulation contrasts with the Bush administration's 
    hands-off treatment of the technology industry, particularly when it 
    comes to controversial e-commerce issues such as privacy and fraud. 
    
    Although the FBI and Federal Trade Commission have hunted down Web 
    site operators involved in fraudulent sales and auctions, proponents 
    of the laissez-faire approach worry that regulations would hamper 
    innovation in a fledgling industry. 
    
    "You cannot legislate good behavior," said eBay chief security officer 
    Howard Schmidt, who resigned this spring as a top cybersecurity 
    adviser to President Bush. "The administration's policy was not to 
    look to legislation or regulation to improve security but to look to 
    market forces to drive it." 
    
    But many technology executives and legal experts applaud the bold 
    attempt to crack down on identity theft, one of the fastest growing 
    crimes. 
    
    The U.S. Postal Service reports that 50,000 people a year have become 
    victims of identity theft, and the U.S. Treasury Department says 
    thieves ring up $2 billion to $3 billion per year on stolen credit 
    cards alone. As victims expend hours or days canceling debit and 
    credit cards, obtaining new ones and re-establishing accounts and 
    passwords, corporate America loses billions of dollars more in 
    productivity. 
    
    Proponents say the California bill makes executives more accountable 
    for computer fraud. It doesn't impose specific monetary fines, but the 
    regulation makes companies with questionable computer networks more 
    vulnerable to lawsuits and public scorn. 
    
    "It's a wake-up call for companies to make major, across-the-board 
    changes in every part of the company," said Nick Akerman, an attorney 
    specializing in computer fraud in the New York office of Dorsey & 
    Whitney. "Companies are afraid to report breaches because they think 
    it reflects badly on them, and they don't want the bad publicity of 
    becoming known as a company that's been hacked into. This bill says, 
    'You can't continue business as usual.'" 
    
    The regulation applies to any company that stores data electronically 
    and does business in California. Companies must alert customers 
    whenever "unencrypted personal information was, or is reasonably 
    believed to have been, acquired by an unauthorized person." 
    
    The bill defines "personal information" as an individual's first name 
    or initial and last name, with one of the following: Social Security 
    number; driver's license number; state identification number; or 
    credit or debit card account number and security code. 
    
    Except when disclosure would impede a criminal investigation, 
    companies must notify consumers "in the most expedient time possible," 
    with an e-mail or letter. 
    
    If a hacker gains access to data for 500,000 or more customers, the 
    company might have to notify people through e-mail, a "conspicuous" 
    posting on a Web site and disclosure to a major media outlet. 
    
    Some say the bill does for computer security what the Sarbanes-Oxley 
    Act tried to do for accounting. Bush signed it into law in 2002 after 
    scandals at Enron and WorldCom as an attempt to legislate corporate 
    ethics by making companies disclose shortcomings in financial 
    reporting. 
    
    "Before the regulation, you would have had an 'Oh, my God' response 
    and worried maybe that your boss would get angry with you," Matt 
    Stevens, a vice president at Walpole, Mass.-based database security 
    company Network Intelligence, said of the California bill. "Now 
    there's a corporate malfeasance issue." 
    
    Amazon.com, Land's End, REI and numerous other companies with 
    extensive databases would not comment on the bill. Dell Computer, 
    which sells 50 percent of its goods online, said it applauds the 
    regulation. 
    
    "This legislation codifies what we've had in place for a long time," 
    spokeswoman Cathie Hargett said. "In those very, very rare cases we 
    believe customer information has been compromised, we tracked who was 
    affected ... and alerted them by e-mail - simply because we think it's 
    good business practice. They appreciate the notification." 
    
    Sending e-mails to customers is daunting, but sending alerts to 
    newspapers and wire services truly panics e-commerce executives, said 
    Peggy Weigle, chief executive of Santa Clara-based security company 
    Sanctum Inc. The regulation would treat computer vulnerabilities like 
    automobile recalls - critical safety data that must not be kept from 
    the public. 
    
    "The public has been under the impression that the transactions 
    they're doing online are really secure," Weigle said. "That's because 
    most businesses don't call up the San Francisco Chronicle and say, 'We 
    just had a quarter million credit cards stolen.' That info never sees 
    the light of day - until this regulation takes effect." 
    
    Nearly half of the 530 companies and government agencies polled in 
    January by the FBI and San Francisco-based Computer Security Institute 
    acknowledged their networks had been the victim of an unauthorized, 
    internal hacker in the past year, and unauthorized outsiders 
    penetrated more than one in three companies. 
    
    It's unclear whether the alarming level of computer fraud will result 
    in so many warnings that consumers ignore them. 
    
    Andy Carvin, an e-commerce enthusiast in Washington, D.C., would like 
    a national version of the California bill. Carvin discovered his 
    credit card information was stolen two years ago, when Visa called to 
    ask whether he ordered $3,000 in personal computers and moved to the 
    Philippines. He suspects a hacker stole data during an online 
    transaction. 
    
    "It would have been great if one of the airlines where I had bought 
    tickets or Amazon.com or MacWarehouse had sent a letter with some 
    useful advice," Carvin said. "I'd feel they wanted to help me." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 01:31:37 PDT