Depending on whom you ask, you'll get various opinions about whether companies should be required by law to disclose computer security problems to their customers. Let's face it: No matter what you do to secure online information, there's always going to be someone trying to find a way to break in.
As of July 1, 2003, it's the responsibility of companies operating in or doing business in California to notify customers if there is a security compromise to their networks or equipment. Although I'm a proponent of full disclosure as it relates to software defects, California Bill Number SB 1386 goes too far too fast. I don't think any company would purposely have insecure systems, yet it's next to impossible to absolutely guarantee software security.
Dealing with customers
Significant computer security breaches have already occurred with most online companies, and they have managed to repair the problems and deal with their customers on their own terms—even when the problem wasn't due to software they wrote.
That's just one of the reasons this legislated approach to enforcement of information security has problems. Whether a company is using someone else's software or its own, it will still be responsible for notifying customers if systems are compromised.
Here's where it gets sticky
But what if the software vendor never disclosed the compromises to the company that uses it? Who should suffer the burden of liability?
From the look of the new California law, the responsibility (and possible liability) of using "defective software" still rests with the company that was hacked. That just doesn't make sense to me. If California wants to legislate the disclosure of security breaches, it also needs to legislate mandatory full disclosure of software defects by companies selling software in California.
To be honest, I'm skeptical that this law will have any real effect other than to cause problems for a lot of businesses operating in California. I'm also sure this law may spill over into other states. Don't get me wrong. I agree that companies have a responsibility to ensure, to the best of their abilities, that customer information is protected. I just feel it's good customer service to do this, and it doesn't need to be legislated.
But my biggest concern is that this law doesn't specifically address the possible consequences of a security breach. The vague definition of liability is typical of open-ended legislation that's ripe for legal abuse.
I fear that the liability and cost of doing business will become too great, and companies will simply not do online business in California. And if similar laws appear in other states, the only recourse for companies to avoid liability may be to simply go overseas, like most of the online gambling sites have. Connecting to a server in California is no different from connecting to one in Bermuda, except that businesses in Bermuda won't have to worry about being sued if their systems get hacked.
This article was originally published in the Internet Security Focus e-newsletter.