General discussion

  • Creator
    Topic
  • #2303424

    Are security breach laws a good idea?

    Locked

    by debate ·

    What do you think about California’s new security breach law? Do you agree with Jonathan Yarden that this law will have little effect? Share your thoughts about security breach laws, as discussed in the July 7 Internet Security Focus e-newsletter.
    If you haven’t subscribed to our free Internet Security Focus e-newsletter, sign up today!
    http://www.techrepublic.com/techmails.jhtml?repID=r001

All Comments

  • Author
    Replies
    • #3353024

      thamk you

      by juliana729 ·

      In reply to Are security breach laws a good idea?

      dear,

      i would like to thank you alot for your perfect site & i would like to have every thing in formation that you have for site , the one who i like it its downlaod many thing from your site & ather programe that really difficult to find one like yours .

      thanks

    • #3353022

      What’s the alternative?

      by blue36 ·

      In reply to Are security breach laws a good idea?

      Self-enforcement of good practices is not one of the business community’s strong points.

      Sure. It is good customer service but if the choice is telling the customer bad news that may hurt sales or just deny everything, the “knee-jerk” reaction is definitely to shut up.

      Is the law perfect? Will it encourage business in California? Definitely not. Is it a step in the right direction? Definitely. And what is that “right direction”? Getting companies to take system administration and system security as serious business concern that can’t be ignored nor handled by the “marketing” department.

    • #3353021

      The Car Analogy

      by eliwap ·

      In reply to Are security breach laws a good idea?

      If a car manufacturer fails to repair known manufacturer’s defects, and those defects results in injury or loss of property, then those manufacturers can and should be held liable. Identity theft is significant damage. Its about time that software and services as product be held to the same standards as other manufactured goods.

      What this legislation does is prove defects when they emerge. Like other products, it will force the defects to be publisized without prejudice and give software manufacturers and service providers motivation to fix the problems or be held liable.

      Ever wonder why Microsoft’s patches are free. Because they know what everyone should understand, that the non liablility clause in most software licensing agreements are meaningless. Manufacturer’s are legally responsible for manufacturer’s defects. And its high time that they be brought to account.

    • #3352987

      breach of security law

      by barffalong ·

      In reply to Are security breach laws a good idea?

      This country is becoming a police state. I realize we need laws, but the polititions we have now seem to think lets just pass another law, the masses will think we are doing something. The companies will take care of themselves, if not, they will fail to exist.

      • #3352959

        My 2 cents

        by todd ·

        In reply to breach of security law

        When I informed my superior’s about this, their first response was, what constitutes a security breach?
        IF nothing else, maybe that question will be answered.

        However, I also see one other problem with informing individuals. Typically, a breachmeans that information was stolen/accessed, a lot of times that relates to financial data, like credit card numbers.

        I was told some credit card companies require that ‘they’ notify the client, which allows them to work with law enforcement in capturing whoever stole or would attempt to use stolen information. It also stops individual’s that might attempt to profit from the fact that information was stolen.

        IF the above is true, then companies now have to determine which comes first, the contractual obligation of the merchant to the credit company or to a state law that may or may not be enforceable? If credit card companies come out and say, they don’t want that information released, which do you think would happen, California keeps the law and loses credit card capabilities or they change/remove the law and keep credit card capabilities?

        Regardless of what happens, I predict California’s residence will now be paying a little bit more for any services they receive, since merchants will have to add the possible cost of notifying them to the sale and eventually, some lawyers are going to get richer if or when they find clients that challenge the new law.

        • #3352944

          Perhaps it’s a good start.

          by azdesertdude2000 ·

          In reply to My 2 cents

          There are a couple of possible desirable results from this new law.

          First, at present we do not know the true extent of security breaches because companies choose not to publisize the information. They don’t talk about it because of fear that customers will panic. We need to know the extent of the problem and the damage done so that we can improve our defensive capabilities.

          Second, the law targets the software user, as it should, but the software manufacturer will not be far behind. The software user must first be held accountable for proper use of the product. If the security breach occured because of a defect in the software then the user and/or the public should go after the manufacturer for damages. Defect of the product in use is a valid defense for the software user.

          The overall effect of the law should be to tighten security with the eventual burden on the manufacturer.

    • #3352971

      Goverments

      by ccsab ·

      In reply to Are security breach laws a good idea?

      Jonathan
      Security starts at home I get 3 to 5 attempt to get in my computer a day if it was not for My Firewall and other security that I have .
      I would go for punishment for those people but leave the dam government out of it they screw up are life enough as it is .
      Sab

      • #3352916

        i’m with you but it’s only a start…

        by shaw ·

        In reply to Goverments

        system administrators need to take responsibility and stop trying to blame microsoft and software vendors for everything…if a system looses files or something, that’s a “defect” but system intursions are the fault of inept administration. operating systems are not the end all for security issues…they need to be helped/supplimented with a properly designed network (public servers on dmz, vpvns…maybe even a honeypot depending on ??? stuff. can you get into your intranet from a public network thru one of your public servers on the dmz…???), stateful firewall and realtime event reporting, a robust intrusion detection system, clearly stated and enforced security policy…proper access controls, forced passwords guidelines, etc. also people, keep in mind that MOST security breaches occur from within!

        ok people…clean up your own house and stop blaming everyone and everything else.

    • #3352958

      Pros and Cons

      by chameleon186 ·

      In reply to Are security breach laws a good idea?

      If it is clearly laid out to what kind of breach was committed. Example some one changes a index page or jsut gains access to a nonroot user nonsecure server never reaches sensitive content. I think they shouldn’t have to disclose in that sceneriothis could lead to potential in client loss which really was not a threat in the first place happens frequently. If sensitive data areas where accessed and possibly retrieved some if any data then that kind of breach should be disclosed publicly sopossible victims can take measures hopefully.

    • #3352905

      1386: Much to be desired, but . . .

      by jglenncrp ·

      In reply to Are security breach laws a good idea?

      Jonathan Yarden writes (Should breach of security notification be legislated? TechRepublic July 7, 2003) re California SB 1386 that ?I don’t think any company would purposely have insecure systems, yet it’s next to impossible to absolutely guaranteesoftware security.?

      The bill?s wording perhaps recognizes that ?it’s next to impossible to absolutely guarantee software security? but only requires organizations (of all types) to notify people and organizations who/which may be damaged by a compromised system.

      Mr. Yarden fears ?the liability and cost of doing business will become too great, and companies will simply not do online business in California … the only recourse for companies to avoid liability may be to simply go overseas, like most of the online gambling sites have.?

      The bill specifies: ?Any person or business that maintains computerized data that includes personal information…? Only virtual organizations can evade California?s statue – e.g. the gambling sites. Hard businesses – banks, insurance companies, used car sales – must comply with the law if they expect to do business in California or with California residents.

      Mr. Yarden doesn?t ?think any company would purposely have insecure systems.? This maybe true, but my experience is that it also is true that most operations which have strong security in place are those regulated by an organization able to levy penalties for failure to comply with what most of us, I believe, would consider ?reasonable precautions.?

      My personal ?concern? is the bill apparently applies only to personal information. What about corporations with commercial accounts – I would much rather hack a corporate account; funds to siphon and less chance of being quickly detected.

    • #3359988

      Agree with Some

      by vsenatore ·

      In reply to Are security breach laws a good idea?

      I totally agree that if a company is broken into weather it be physically or hacked.
      It should be reported to the local police for physical and if they have a information security expert on their force,should also be notified.
      The companies also should be resposible to notify customers if their information is stolen or copied.
      As to the liability of the flawed software. This should be handled like any other consumer product.
      The lastest example being the, the tire problems in the auto industy.

    • #3359983

      Yes, Breach Notices are a good idea.

      by turnblade ·

      In reply to Are security breach laws a good idea?

      Breach notices are a direct measure of computing security commitment.

      I would argue that the aversion to security breach notices is the same argument given for choosing the under-baked levels of computing security. Further, responsible information security reduces the risks of a security breach and the costs of notification.

      In effect, the business risk exposure of expense from a security breach notification is similar to a the cost/benefit advantage to avoiding security breaches in the first place.

      When it comes to saving money. Prevention of security breach is the least expensive plan.
      Breach notification laws encourage prevention by
      quantifying the minimum costs of a breach.

      Best Regards,

      Don Turnblade, MS, CISSP

      • #3359891

        Follow the money!

        by thunderwolf ·

        In reply to Yes, Breach Notices are a good idea.

        There seems to be a need for better security, Everyone agrees that the squeaky wheel gets the grease or, in this case, the money. I have seen “major” breaches that didn’t expose personal info and “minor” ones that exposed the whole system. The worstare the internal ones, They are often hard to detect and can be impossible to track. The question becomes one of judgement on the part of the IT folks. It’s never black and white, always ambiguous and it will bite you in the butt, big time! How do you tell folks that someone has been tromping all over your server and you don’t know who did it or what was seen?
        The nightmare for us is when there is a breach, we decide that no personal data was compromised, we don’t notify any clients and later some of them are hit with identity theft. When their lawyers come knocking and demand our records, we are toast! They don’t have to prove a thing, because we had a breach and didn’t tell the customers. It doesn’t even have to be remotely connected toour operation! We simply have a documented breach and no notification. Do you still want mandatory notification? This law is an engraved invitation to every damned lawyer in the state to eat your lunch!

        • #3359875

          Follow money- just like NAFTA’s trail

          by j.g. ·

          In reply to Follow the money!

          Item 1.
          Bill Moyers, PBS TV journalist, wrote how Karla H?lls (sp?) and other NAFTA authors promptly left their govt jobs to work for legal firms arguing NAFTA cases. You can bet they got pay rai$e$. Are the authors of this law looking to do the same?

          Item 2.
          Fellow TR members, are we reading the same article? Recall the author said:

          IF “Company A” has a computer security breach,
          AND
          it is due to flaws in software that is written and sold by Software Company X,
          THEN
          COMPANY*A* IS LIABLE, and
          the software company is NOT LIABLE.

          Quote: “From the look of the new California law, the responsibility (and possible liability) of using “defective software” still rests with the
          company that was hacked. Sorry, that just doesn’t make good sense to me. ”

          I agree with the author on this one.

          To quote Bismarck, “People fond of the law or sausages should never watch either of them being made.”

    • #3359727

      Breach disclosures should be legislated

      by lmf1701 ·

      In reply to Are security breach laws a good idea?

      The breach law may have little to no effect, but is better than allowing a company to hide these flaws. While I agree with the assertion of the author that most companies would not purposely create insecure systems, they might have significant reasons (public confidence and financial) to not disclose breaches in theur systems once found.

      As for the author’s assertion that a company should not be held liable for any flaws in software they are reliant upon but have not written, I must disagree. The company that puts together the package is responsible for securing their software against any and all attacks. The burden of liability should always be the responsability of the party who is providing the service. They need to do adequate testing to insure their customers against attack and never take at face value another vendors assertion of invulnerability.

    • #3371991

      Jonathan needs to rethink his position.

      by mgb3 ·

      In reply to Are security breach laws a good idea?

      Jonathan is way, way, way off in his supposition that the liability of being hacked due to “defective software” is not the liability of the company that gets hacked. Way, way, way off. Any company that is going to place eCommerce servers on the web and invite or solicit the public to do business on their website is responsible for the security of their website. If you walk into a brick and mortar store, the company that owns that store is responsible for your welfare while you are in the store – that’s why there are undercover security personnel in the store – stopping pickpockets and shoplifters. That’s why there are systems like tcp wrappers, secure shells, SSLs, and intrusion detection systems. Companies that put up websites should(and are responsible for) security testing their sites to ensure the safety of the users of that site – and liable for breaches that cause damage or loss to users of the site.

      Mike Bennett
      Manager
      KPMG, LLP / Risk and Advisory Services Practice
      Information Systems Security Group

Viewing 10 reply threads