The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Forced admissions of poor security
By Scott Bradner
It has not been a good few months for San Diego area computer security fans. Back in December San Diego State University reported that private records on more than 175 thousand students, alumni and employees might have been accessed over the Internet by computer hackers. Last month computers at the San Diego Supercomputer Center were broken into. On top of all that, it turns out that private records, including Social Security numbers and divers license numbers, of more than 350 thousand University of California, San Diego applicants, students, facility and employees might have been exposed to Internet-based hackers sometime before mid April when the break in was discovered.
The University of California, San Diego (UCSD) has been quite aggressive in letting the affected people know about the possible exposure of their private information, information that would be quite helpful to identity thieves. The University issues a press release (http://ucsdnews.ucsd.edu/newsrel/general/securitybreach.asp) and sent up a special web site to provide information and help. (http://idalert.ucsd.edu/)
But this aggressiveness to notify people that their identity might be in the process of being stolen may not be entirely due to UCSD's sense of doing the right thing. Not quite a year ago the California Database Breach Disclosure Act went into effect. (http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html) (Also see http://www.nwfusion.com/columnists/2003/0303bradner.html.) This act requires that California residents be told if personal data about them might have been exposed during a computer break in.
There does seem to have been a cluster of security problems in San Diego but maybe the reality is that this type of exposure is quite commonplace and it is only the disclosure act that lets us know about the problems, and the act only covers businesses that do business in California. A scary thought.
There is a very easy work around for the California act -- keep your data encrypted. The disclosure act specifically exempts exposures of encrypted data from the notification rules. So if you do not want to actually fix the security of your systems so that they do not get hacked and so that unauthorized people inside your company cannot access the private information just encrypt the data and you will not have to admit to the world that you have porous computer security. By the way, itŐs not a bad idea to keep this sort of data encrypted even if you think you have good security.
Some things remain fuzzy about the disclosure act. For example, the act applies to "any person or business that conducts business in California." Does it apply to a New Jersey-based web site selling socks over the Internet to a person located in George but whose voting address is in California? How about selling the socks to someone living in San Francisco? If it does apply, how would California enforce the rules? What quality of encryption is required for someone to be exempt? Would encrypting the data using ROT-13 do? (See http://help.netscape.com/kb/consumer/19990114-1.html.)
Forced honesty is better than no honesty, which seems to be the default for too many corporate lawyers when confronted with an embarrassing situation. But it would be better to design and run things so the embarrassing situation does not arise in the first place.
disclaimer: From what I understand, the Harvard Business and Law Schools have classes on when honesty is the best policy but they did not comment on this topic.