FC: Problems with California's "you've been hacked" law

From: Declan McCullagh (declanat_private)
Date: Mon Jul 14 2003 - 07:34:32 PDT

  • Next message: Declan McCullagh: "FC: Pres. candidate Howard Dean will "guest blog" for Larry Lessig"

    [If enough people cared to know about whether their email accounts have 
    been hacked, some bright entrepreneur would probably figure this out and 
    launch such a service in hopes of getting rich. Because that hasn't 
    happened, I'd guess that people probably don't care as much as politicians 
    think, or, alternatively, existing ISPs' policies may suffice. For 
    instance, The Well notified me after some miscreants compromised my account 
    and John Markoff's and the accounts of a few other journalists (this was 
    years ago). --Declan]
    
    ---
    
    Date: Sun, 13 Jul 2003 21:36:49 -0700 (PDT)
    From: No Thanks <foogert99at_private>
    Subject: California Privacy Law
    To: declanat_private
    
    Greetings, Declan.
    
    Perhaps I missed it, but I'm not sure that I've seen any Politech coverage 
    of the new California Privacy Law that requires companies to notify their 
    customers if personal information is stolen, or is believed to have been 
    stolen, by "hackers".
    
    This law, which was introduced into the California Senate as SB 1386, and 
    became California Civil Code 1798.82 on July 1 2003, has been widely 
    reported as requiring companies to notify their customers of a security 
    breach that resulted in the disclosure of "customer information" to 
    unauthorized third parties.
    
    Notably, Senator Dianne Feinstein recently introduced a similar bill into 
    the US Senate, seeking to create a national law based on the California 
    policy. The US Senate bill is number SB 1350, and is reassuringly titled 
    "The Notification of Risk to Personal Data Act."
    
    I initially believed that this law required companies to notify us if they 
    believed that *any* of our "customer information" had been stolen. And I've 
    read a number of articles in the technology press applauding the law, since 
    it seems to support transparency and disclosure, and because it puts some 
    responsibility and liability on the shoulders of those whose inaction make 
    security breaches possible in the first place.
    
    But before we start celebrating, I'd like to encourage you and your readers 
    to read the actual text of the California law, which is available in PDF 
    format at the URL below. Unless I'm reading it wrong (IANAL), the only 
    "customer information" protected by this law is social security number, 
    driver's license number, or credit card/bank account number.
    
    I was pretty surprised by that, and I'm surprised that none of the coverage 
    that this got in the technology press pointed out the loophole this leaves. 
    For example, if somebody hacks my HMO and steals all my medical records, 
    the HMO wouldn't be required to notify me, unless my SSN# was also stolen!
    
    Or, if somebody (god forbid) cracked Hotmail, and downloaded all my email, 
    including the password reminder my bank sent me - they wouldn't have to 
    notify me of that, either.
    
    I had thought that this law might be useful for going after companies who 
    refuse to acknowledge or address security vulnerabilities in their 
    software, or companies whose boneheaded customer service practices leave 
    them open to social engineering exploits. Admittedly, I have an axe to 
    grind on the latter count, as the author of the "full disclosure" site 
    referenced below.
    
    But, it seems this law has no relevance to that matter, or any other 
    security breach that isn't the direct precursor to identity theft in the 
    conventional sense. I think that's something that everybody should know 
    about the California law, and also about the opportunity that would be 
    missed by Senator Feinstein's bill, should that become a nationwide law.
    
    CA Senate Bill 1386: 
    <http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html>http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
    
    SJ Mercury News Article (says the law requires notification if companies 
    "even suspect that hackers or others have gained unauthorized access to 
    customer information"): 
    <http://www.bayarea.com/mld/mercurynews/business/6209059.htm>http://www.bayarea.com/mld/mercurynews/business/6209059.htm 
    
    
    PC World Article on SB 1386: 
    <http://www.pcworld.com/news/article/0,aid,110678,00.asp>http://www.pcworld.com/news/article/0,aid,110678,00.asp
    
    Full Disclosure of DirecTV Customer Privacy Exploit: 
    <http://www.geocities.com/foogert99/>http://www.geocities.com/foogert99/
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    -------------------------------------------------------------------------
    To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    Declan McCullagh's photographs are at http://www.mccullagh.org/
    Like Politech? Make a donation here: http://www.politechbot.com/donate/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 07:51:52 PDT