California State Bill SB1386

From: Steve Zenone (zenoneat_private)
Date: Fri Mar 21 2003 - 17:03:14 PST

Next message: Kris Saw: "Re: Trojan attacking our switches"

Previous message: Mike Hoskins: "Re: Trojan attacking our switches"
Next in thread: Jonathan A. Zdziarski: "RE: California State Bill SB1386"
Reply: Jonathan A. Zdziarski: "RE: California State Bill SB1386"
Reply: Rohrer, Mark E: "RE: California State Bill SB1386"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

This message is in regards to getting clarification on what
to do in the event of a breach per SB1386.

Starting on July 1, 2003, California State Bill SB1386 will
become operative. From a technical InfoSec perspective, I
am unclear about a section of the bill.

In a nutshell, to quote from the original bill text, SB1386
will...

"require a state agency, or a person or business that
conducts business in California, that owns or licenses
computerized data that includes personal information,
as defined, to disclose in specified ways, any breach of
the security of the data, as defined, to any resident
of California whose unencrypted personal information
was, or is reasonably believed to have been, acquired
by an unauthorized person."

The unclear part is the use of the word "unencrypted".
For example, can someone jokingly use ROT13 to encrypt
data and say, "hey - it's encrypted!"?

% cat data | tr 'a-zA-Z' 'n-za-mN-ZA-M' > encrypted

In other words, what defines encryption so as to satisfy
this bill's requirements?

Secondly, What if I have an encrypted database, however,
an "attacker" is able to monitor the plaintext traffic over
http from the front-end webserver (which is fed data from
the encrypted DB) to the remote browser client. Obviously,
there is a breach. The "attacker" isn't getting the entire
database. Rather, they're able to get session specific
plaintext packet dumps. If the breach occurred on my
network, I take it that this would need to be disclosed
per the bill. What if the breach occurred outside of my
network and affected sessions between my network and
provider XYZ. Does the bill still require me to disclose?

This is hypothetical. Of course, it would make more sense
using https as opposed to http. However, for the sake of
trying to get clarification, I tossed out the above example.

Last example, what if the data moves over the Net via SSL
to a remote user's workstation where it is then stored
unencrypted. If the user's system is compromised and
the data is "acquired by an unauthorized person", where
do we go based upon the requirements of SB1386?

Thanks in advance for your insight.

SB1386 original text:
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

Regards,
Steve

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Kris Saw: "Re: Trojan attacking our switches"
Previous message: Mike Hoskins: "Re: Trojan attacking our switches"
Next in thread: Jonathan A. Zdziarski: "RE: California State Bill SB1386"
Reply: Jonathan A. Zdziarski: "RE: California State Bill SB1386"
Reply: Rohrer, Mark E: "RE: California State Bill SB1386"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Mar 22 2003 - 12:17:41 PST