California is set to enact its Database Security Breach Notification Act in July, but the president of a self-described company of hackers wants to know how that law can be enforced.
Gary Morse, president of Razorpoint Security Technologies, Inc., told TechRepublic he supports the idea behind the new California law and others like it. “It’s a great step in the right direction,” he said. “But what I want to know is how you enforce it.”
The Database Security Breach Notification Act requires California companies to report network security breaches that compromise personal information (e.g., Social Security, drivers license, or account numbers). That notice must be written or electronic, which could include e-mail, a “conspicuous posting” on the company’s Web site, or contacting the news media to alert the public.
The act was prompted by a wildly successful hack in which the private information of about 250,000 state workers was compromised. Other states are watching the law closely and U.S. senator Diane Feinstein (D-Calif.) is supporting a similar bill, which, if passed, would make this sort of disclosure federal law.
But can it be enforced?
Morse has good reason to suspect that the law cannot be enforced. The last thing a victimized business wants known is that their network has been compromised at all. The reasons are obvious. There’s embarrassment, possible litigation, and the real fear of reduced consumer confidence. In addition, the financial markets might see the company as a less-than-safe investment risk, which could mean a drop in stock value. On top of that, recovering from a network security breach can involve very expensive remediation.
So, as they say, an ounce of prevention is worth a pound of cure. That’s why some organizations turn to companies like Razorpoint and its team of what Morse called “professional hackers.”
“And when we find a security vulnerability, we are a lot more forthcoming than the hacker will be,” he said. But companies aren’t interested in being forthcoming themselves; there’s too much to lose if they do. “Being in this industry, I see a much broader view of this problem,” Morse said.
How to deal with the new law
Obviously, if a California company fails to report a breach, it is violating the law. While Morse has serious doubts about the law’s enforceability, he does have some advice for IT professionals who are wondering how they should deal with the new law, either in California or elsewhere similar legislation may be enacted. Morse suggested a two-tiered approach to keep a company in compliance: prevention and proper IT staffing. The latter reinforces the former, Morse said. If companies properly monitor their network and keep hackers and crackers out, then there won’t be a breach to report. And making sure their IT departments are properly staffed and trained will go a long way towards prevention, Morse said.
“I would urge the CIO, CTO, the IT manager to take a good look at their IT staff.” Too often, Morse said, he has worked with companies with understaffed and poorly trained IT departments. This can result in the kinds of security breaches that California companies now have every incentive to prevent.
One of the first things Morse asks a new client is to describe their existing network security. Too often, he said, “I get blank stares. And I tell them, ‘You can tell me about your books, you should be able to tell me about your security.’ … chances are, the company that can’t has already been compromised.”
Morse also recommended that companies look at network security not just as an IT expense, but also as a company investment. “Security is a management-level decision,” he explained. “Not just an IT decision.” And it’s not just about firewalls, passwords, and VPNs, he said. “Security is a process,” Morse said, “not a product.”
Companies that recognize network security as an investment “are the companies that get it,” Morse explained. “These are the companies that are much more secure, and these are not the companies that call us all in a panic.”