|
|
ONLINE FEATURES
Book Reviews
BW Video
Columnists
Interactive Gallery
Newsletters
Past Covers
Philanthropy
Podcasts
Special Reports
BLOGS
Auto Beat
Bangalore Tigers
Blogspotting
Brand New Day
Byte of the Apple
Economics Unbound
Eye on Asia
Fine On Media
Green Biz
Hot Property
Investing Insights
Management IQ
NEXT: Innovation
NussbaumOnDesign
Tech Beat
Working Parents
TECHNOLOGY
J.D. Power Ratings
Product Reviews
Tech Stats
Wildstrom: Tech Maven
AUTOS
Home Page
Auto Reviews
Classic Cars
Car Care & Safety
Hybrids
INNOVATION
& DESIGN Home Page Architecture Brand Equity Auto Design Game Room SMALLBIZ Smart Answers Success Stories Today's Tip INVESTING Investing: Europe Annual Reports BW 50 S&P Picks & Pans Stock Screeners Free S&P Stock Report SCOREBOARDS Hot Growth 100 Mutual Funds Info Tech 100 S&P 500 B-SCHOOLS Undergrad Programs MBA Blogs MBA Profiles MBA Rankings Who's Hiring Grads | |
NOVEMBER 11, 2002 SECURITY NET By Alex Salkever Computer Break-Ins: Your Right to Know California law now demands that the public be informed when government or corporate databases are breached. It's about time
Worse, the California Controller's Office, which ran the database, failed to notify state employees for more than two weeks after the breach was discovered. Although officials with the Controller's office insisted the break-in probably hadn't resulted in any significant harm, the incident enraged Golden State pols and employees, whose Social Security numbers, bank account information, and home addresses were fair game for the hackers. This lapse sparked what may mark a dramatic shift in legal policy toward cybersecurity. Over strenuous objections from the business lobby, on Sept. 26 California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised. The law covers not just state agencies but private enterprises doing business in California. Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions (here's more information on the legislation, bill number SB 1386). LEAPFROGGING D.C. According to legal experts, this is the first state law of its kind. And because of California's size and prominent role in the high-tech industry, it could create a de facto national disclosure policy. What's more, the California law leapfrogs efforts by industry and White House cybersecurity chief Richard Clarke to create an amnesty policy designed to encourage companies to share information about breaches with law enforcement. That policy, which is written into the still-pending House version of the Homeland Security Act, would exempt from the U.S. Freedom of Information Act any information about security breaches that's shared with the federal government. I think the California law is long overdue. In far too many instances, companies and governments have kept mum after they were hacked, seeking to preserve their reputations and avoid public outcry while their customers face risk of identity theft. Computer-security breaches must be treated like any other issue of public safety, and people must be informed when they're at risk. The bill cuts to the quick of what has been an extremely contentious issue in the computer-security field. Businesses and many law-enforcement personnel argue that disclosing security breaches to the public could affect legal cases and disrupt investigations. It also would make companies more reluctant to share information on cyberattacks -- making it harder to fight hackers. NUISANCE SUITS. "Because businesses currently fear sharing information about cyberattacks, they're holding information back. Because of that, we're less equipped at the government level and the industry level to figure out where our vulnerabilities are great and how to address them," says Mario Correa, director of Internet and security policy for the Business Software Alliance, a high-tech trade group. Legal experts fear that the law could unleash a torrent of nuisance litigation. "A statute like California's is going to give rise to untold number of class actions, some of them created by aggressive plaintiff lawyers," says Jeffrey D. Neuburger, an expert in technology law and a partner at New York City firm Brown Raysman Millstein Felder & Steiner. "It won't serve the public's interest." Consumer groups strongly disagree. Consumer Union, the self-styled advocacy group that helped craft the California bill, argues that if the public doesn't know what's going on, people can't protect themselves from crimes such as identity theft and credit-card fraud. Even if it appears that a breach hasn't resulted in major exposures of critical information, such as Social Security or bank-account numbers, the reality is that it's impossible to know for sure whether intruders have grabbed any sensitive data. THE NET REMEMBERS. "We can't protect ourselves if we don't know what's being done with our information," says Gail Hillebrand, a senior attorney at CU. She rightly points out that timely notification would allow victims to warn the three big credit-reporting agencies to watch out for strange activity on their accounts or to give victims time to request a new driver's license or credit-card number, or open a new bank account. The Internet's elephantine memory is also a concern. Nothing that makes it onto the Net in a digital format ever really disappears. "As our information exists in more databases, we are exposed to more risks of identity theft," says Hillebrand. She thinks a salutary benefit of the legislation would be companies and agencies putting a higher priority on data security and taking more preventive action. "We always hear there will be litigation, but the best way to avoid litigation is to have good prevention in place," says Hillebrand. Most businesses that get hacked surely do the right thing and inform customers. Also, the idea of allowing companies to quietly share technical information on breaches with investigators clearly has merit. In some instances, law enforcement's claims that full disclosure will ruin investigations are valid. For that reason, the California law includes a clause suspending full disclosure if such a move would harm an investigation. Under any other circumstance, however, the public's right to know should trump a company or government's right to save face or money.  Salkever is Technology editor for BusinessWeek Online and covers computer security issues weekly in his Security Net column Edited by Douglas Harbrecht Get BusinessWeek directly on your desktop with our RSS feeds.  Add BusinessWeek news to your Web site with our headline feed. Click to buy an e-print or reprint of a BusinessWeek or BusinessWeek Online story or video. To subscribe online to BusinessWeek magazine, please click here. Learn more, go to the BusinessWeekOnline home page  | | NOVEMBER |
 Copyright 2002, by The McGraw-Hill Companies Inc. All rights reserved.Terms of Use | Privacy Policy |
Printer-Friendly Version
