General discussion


Are security breach laws a good idea?

By debate ·
What do you think about California's new security breach law? Do you agree with Jonathan Yarden that this law will have little effect? Share your thoughts about security breach laws, as discussed in the July 7 Internet Security Focus e-newsletter.
If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

thamk you

by juliana729 In reply to Are security breach laws ...


i would like to thank you alot for your perfect site & i would like to have every thing in formation that you have for site , the one who i like it its downlaod many thing from your site & ather programe that really difficult to find one like yours .


Collapse -

What's the alternative?

by blue36 In reply to Are security breach laws ...

Self-enforcement of good practices is not one of the business community's strong points.

Sure. It is good customer service but if the choice is telling the customer bad news that may hurt sales or just deny everything, the "knee-jerk" reaction is definitely to shut up.

Is the law perfect? Will it encourage business in California? Definitely not. Is it a step in the right direction? Definitely. And what is that "right direction"? Getting companies to take system administration and system security as serious business concern that can't be ignored nor handled by the "marketing" department.

Collapse -

The Car Analogy

by eliwap In reply to Are security breach laws ...

If a car manufacturer fails to repair known manufacturer's defects, and those defects results in injury or loss of property, then those manufacturers can and should be held liable. Identity theft is significant damage. Its about time that software and services as product be held to the same standards as other manufactured goods.

What this legislation does is prove defects when they emerge. Like other products, it will force the defects to be publisized without prejudice and give software manufacturers and service providers motivation to fix the problems or be held liable.

Ever wonder why Microsoft's patches are free. Because they know what everyone should understand, that the non liablility clause in most software licensing agreements are meaningless. Manufacturer's are legally responsible for manufacturer's defects. And its high time that they be brought to account.

Collapse -

breach of security law

by barffalong In reply to Are security breach laws ...

This country is becoming a police state. I realize we need laws, but the polititions we have now seem to think lets just pass another law, the masses will think we are doing something. The companies will take care of themselves, if not, they will fail to exist.

Collapse -

My 2 cents

by Todd In reply to breach of security law

When I informed my superior's about this, their first response was, what constitutes a security breach?
IF nothing else, maybe that question will be answered.

However, I also see one other problem with informing individuals. Typically, a breachmeans that information was stolen/accessed, a lot of times that relates to financial data, like credit card numbers.

I was told some credit card companies require that ‘they’ notify the client, which allows them to work with law enforcement in capturing whoever stole or would attempt to use stolen information. It also stops individual’s that might attempt to profit from the fact that information was stolen.

IF the above is true, then companies now have to determine which comes first, the contractual obligation of the merchant to the credit company or to a state law that may or may not be enforceable? If credit card companies come out and say, they don’t want that information released, which do you think would happen, California keeps the law and loses credit card capabilities or they change/remove the law and keep credit card capabilities?

Regardless of what happens, I predict California’s residence will now be paying a little bit more for any services they receive, since merchants will have to add the possible cost of notifying them to the sale and eventually, some lawyers are going to get richer if or when they find clients that challenge the new law.

Collapse -

Perhaps it's a good start.

by azdesertdude2000 In reply to My 2 cents

There are a couple of possible desirable results from this new law.

First, at present we do not know the true extent of security breaches because companies choose not to publisize the information. They don't talk about it because of fear that customers will panic. We need to know the extent of the problem and the damage done so that we can improve our defensive capabilities.

Second, the law targets the software user, as it should, but the software manufacturer will not be far behind. The software user must first be held accountable for proper use of the product. If the security breach occured because of a defect in the software then the user and/or the public should go after the manufacturer for damages. Defect of the product in use is a valid defense for the software user.

The overall effect of the law should be to tighten security with the eventual burden on the manufacturer.

Collapse -


by ccsab In reply to Are security breach laws ...

Security starts at home I get 3 to 5 attempt to get in my computer a day if it was not for My Firewall and other security that I have .
I would go for punishment for those people but leave the dam government out of it they screw up are life enough as it is .

Collapse -

i'm with you but it's only a start...

by shaw In reply to Goverments

system administrators need to take responsibility and stop trying to blame microsoft and software vendors for everything...if a system looses files or something, that's a "defect" but system intursions are the fault of inept administration. operating systems are not the end all for security issues...they need to be helped/supplimented with a properly designed network (public servers on dmz, vpvns...maybe even a honeypot depending on ??? stuff. can you get into your intranet from a public network thru one of your public servers on the dmz...???), stateful firewall and realtime event reporting, a robust intrusion detection system, clearly stated and enforced security policy...proper access controls, forced passwords guidelines, etc. also people, keep in mind that MOST security breaches occur from within!

ok people...clean up your own house and stop blaming everyone and everything else.

Collapse -

Pros and Cons

by chameleon186 In reply to Are security breach laws ...

If it is clearly laid out to what kind of breach was committed. Example some one changes a index page or jsut gains access to a nonroot user nonsecure server never reaches sensitive content. I think they shouldn't have to disclose in that sceneriothis could lead to potential in client loss which really was not a threat in the first place happens frequently. If sensitive data areas where accessed and possibly retrieved some if any data then that kind of breach should be disclosed publicly sopossible victims can take measures hopefully.

Collapse -

1386: Much to be desired, but . . .

by JGlennCRP In reply to Are security breach laws ...

Jonathan Yarden writes (Should breach of security notification be legislated? TechRepublic July 7, 2003) re California SB 1386 that ?I don't think any company would purposely have insecure systems, yet it's next to impossible to absolutely guaranteesoftware security.?

The bill?s wording perhaps recognizes that ?it's next to impossible to absolutely guarantee software security? but only requires organizations (of all types) to notify people and organizations who/which may be damaged by a compromised system.

Mr. Yarden fears ?the liability and cost of doing business will become too great, and companies will simply not do online business in California ... the only recourse for companies to avoid liability may be to simply go overseas, like most of the online gambling sites have.?

The bill specifies: ?Any person or business that maintains computerized data that includes personal information...? Only virtual organizations can evade California?s statue - e.g. the gambling sites. Hard businesses - banks, insurance companies, used car sales - must comply with the law if they expect to do business in California or with California residents.

Mr. Yarden doesn?t ?think any company would purposely have insecure systems.? This maybe true, but my experience is that it also is true that most operations which have strong security in place are those regulated by an organization able to levy penalties for failure to comply with what most of us, I believe, would consider ?reasonable precautions.?

My personal ?concern? is the bill apparently applies only to personal information. What about corporations with commercial accounts - I would much rather hack a corporate account; funds to siphon and less chance of being quickly detected.

Related Discussions

Related Forums