Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


Are security breach laws a good idea?

By debate ·
What do you think about California's new security breach law? Do you agree with Jonathan Yarden that this law will have little effect? Share your thoughts about security breach laws, as discussed in the July 7 Internet Security Focus e-newsletter.
If you haven't subscribed to our free Internet Security Focus e-newsletter, sign up today!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Agree with Some

by vsenatore In reply to Are security breach laws ...

I totally agree that if a company is broken into weather it be physically or hacked.
It should be reported to the local police for physical and if they have a information security expert on their force,should also be notified.
The companies also should be resposible to notify customers if their information is stolen or copied.
As to the liability of the flawed software. This should be handled like any other consumer product.
The lastest example being the, the tire problems in the auto industy.

Collapse -

Yes, Breach Notices are a good idea.

by Turnblade In reply to Are security breach laws ...

Breach notices are a direct measure of computing security commitment.

I would argue that the aversion to security breach notices is the same argument given for choosing the under-baked levels of computing security. Further, responsible information security reduces the risks of a security breach and the costs of notification.

In effect, the business risk exposure of expense from a security breach notification is similar to a the cost/benefit advantage to avoiding security breaches in the first place.

When it comes to saving money. Prevention of security breach is the least expensive plan.
Breach notification laws encourage prevention by
quantifying the minimum costs of a breach.

Best Regards,

Don Turnblade, MS, CISSP

Collapse -

Follow the money!

by thunderwolf In reply to Yes, Breach Notices are a ...

There seems to be a need for better security, Everyone agrees that the squeaky wheel gets the grease or, in this case, the money. I have seen "major" breaches that didn't expose personal info and "minor" ones that exposed the whole system. The worstare the internal ones, They are often hard to detect and can be impossible to track. The question becomes one of judgement on the part of the IT folks. It's never black and white, always ambiguous and it will bite you in the butt, big time! How do you tell folks that someone has been tromping all over your server and you don't know who did it or what was seen?
The nightmare for us is when there is a breach, we decide that no personal data was compromised, we don't notify any clients and later some of them are hit with identity theft. When their lawyers come knocking and demand our records, we are toast! They don't have to prove a thing, because we had a breach and didn't tell the customers. It doesn't even have to be remotely connected toour operation! We simply have a documented breach and no notification. Do you still want mandatory notification? This law is an engraved invitation to every damned lawyer in the state to eat your lunch!

Collapse -

Follow money- just like NAFTA's trail

by j.g. In reply to Follow the money!

Item 1.
Bill Moyers, PBS TV journalist, wrote how Karla H?lls (sp?) and other NAFTA authors promptly left their govt jobs to work for legal firms arguing NAFTA cases. You can bet they got pay rai$e$. Are the authors of this law looking to do the same?

Item 2.
Fellow TR members, are we reading the same article? Recall the author said:

IF "Company A" has a computer security breach,
it is due to flaws in software that is written and sold by Software Company X,
the software company is NOT LIABLE.

Quote: "From the look of the new California law, the responsibility (and possible liability) of using "defective software" still rests with the
company that was hacked. Sorry, that just doesn't make good sense to me. "

I agree with the author on this one.

To quote Bismarck, "People fond of the law or sausages should never watch either of them being made."

Collapse -

Breach disclosures should be legislated

by lmf1701 In reply to Are security breach laws ...

The breach law may have little to no effect, but is better than allowing a company to hide these flaws. While I agree with the assertion of the author that most companies would not purposely create insecure systems, they might have significant reasons (public confidence and financial) to not disclose breaches in theur systems once found.

As for the author's assertion that a company should not be held liable for any flaws in software they are reliant upon but have not written, I must disagree. The company that puts together the package is responsible for securing their software against any and all attacks. The burden of liability should always be the responsability of the party who is providing the service. They need to do adequate testing to insure their customers against attack and never take at face value another vendors assertion of invulnerability.

Collapse -

Jonathan needs to rethink his position.

by mgb3 In reply to Are security breach laws ...

Jonathan is way, way, way off in his supposition that the liability of being hacked due to "defective software" is not the liability of the company that gets hacked. Way, way, way off. Any company that is going to place eCommerce servers on the web and invite or solicit the public to do business on their website is responsible for the security of their website. If you walk into a brick and mortar store, the company that owns that store is responsible for your welfare while you are in the store - that's why there are undercover security personnel in the store - stopping pickpockets and shoplifters. That's why there are systems like tcp wrappers, secure shells, SSLs, and intrusion detection systems. Companies that put up websites should(and are responsible for) security testing their sites to ensure the safety of the users of that site - and liable for breaches that cause damage or loss to users of the site.

Mike Bennett
KPMG, LLP / Risk and Advisory Services Practice
Information Systems Security Group

Related Discussions

Related Forums