By Alex Salkever In April, 2002, hackers broke into the payroll database for the state of California. For more than a month, cybercriminals rooted around in the personal information of 265,000 Golden State employees, ranging from Governor Gray Davis to maintenance workers and clerks.
Worse, the California Controller's Office, which ran the database, failed to notify state employees for more than two weeks after the breach was discovered. Although officials with the Controller's office insisted the break-in probably hadn't resulted in any significant harm, the incident enraged Golden State pols and employees, whose Social Security numbers, bank account information, and home addresses were fair game for the hackers.
This lapse sparked what may mark a dramatic shift in legal policy toward cybersecurity. Over strenuous objections from the business lobby, on Sept. 26 California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised. The law covers not just state agencies but private enterprises doing business in California. Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions (here's more information on the legislation, bill number SB 1386).
LEAPFROGGING D.C. According to legal experts, this is the first state law of its kind. And because of California's size and prominent role in the high-tech industry, it could create a de facto national disclosure policy. What's more, the California law leapfrogs efforts by industry and White House cybersecurity chief Richard Clarke to create an amnesty policy designed to encourage companies to share information about breaches with law enforcement. That policy, which is written into the still-pending House version of the Homeland Security Act, would exempt from the U.S. Freedom of Information Act any information about security breaches that's shared with the federal government.
I think the California law is long overdue. In far too many instances, companies and governments have kept mum after they were hacked, seeking to preserve their reputations and avoid public outcry while their customers face risk of identity theft. Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk.
The bill cuts to the quick of what has been an extremely contentious issue in the computer-security field. Businesses and many law-enforcement personnel argue that disclosing security breaches to the public could affect legal cases and disrupt investigations. It also would make companies more reluctant to share information on cyberattacks -- making it harder to fight hackers.
NUISANCE SUITS. "Because businesses currently fear sharing information about cyberattacks, they're holding information back. Because of that, we're less equipped at the government level and the industry level to figure out where our vulnerabilities are great and how to address them," says Mario Correa, director of Internet and security policy for the Business Software Alliance, a high-tech trade group.
Legal experts fear that the law could unleash a torrent of nuisance litigation. "A statute like California's is going to give rise to untold number of class actions, some of them created by aggressive plaintiff lawyers," says Jeffrey D. Neuburger, an expert in technology law and a partner at New York City firm Brown Raysman Millstein Felder & Steiner. "It won't serve the public's interest."
Consumer groups strongly disagree. Consumer Union, the self-styled advocacy group that helped craft the California bill, argues that if the public doesn't know what's going on, people can't protect themselves from crimes such as identity theft and credit-card fraud. Even if it appears that a breach hasn't resulted in major exposures of critical information, such as Social Security or bank-account numbers, the reality is that it's impossible to know for sure whether intruders have grabbed any sensitive data.
THE NET REMEMBERS. "We can't protect ourselves if we don't know what's being done with our information," says Gail Hillebrand, a senior attorney at CU. She rightly points out that timely notification would allow victims to warn the three big credit-reporting agencies to watch out for strange activity on their accounts or to give victims time to request a new driver's license or credit-card number, or open a new bank account.
The Internet's elephantine memory is also a concern. Nothing that makes it onto the Net in a digital format ever really disappears. "As our information exists in more databases, we are exposed to more risks of identity theft," says Hillebrand. She thinks a salutary benefit of the legislation would be companies and agencies putting a higher priority on data security and taking more preventive action. "We always hear there will be litigation, but the best way to avoid litigation is to have good prevention in place," says Hillebrand.
Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit. In some instances, law enforcement's claims that full disclosure will ruin investigations are valid. For that reason, the California law includes a clause suspending full disclosure if such a move would harm an investigation.
Under any other circumstance, however, the public's right to know should trump a company or government's right to save face or money. Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column