Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Kalifornien führt Meldepflicht für Computereinbrüche ein



Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Das ist das erste Gesetz, das nicht nur auf die freiwillige
Kooperationsbereitschaft der Firmen setzt, sondern wirklich etwas
erzwingt. Das war von vielen (u.a. Rick Forno und Bruce Schneier) als
Reaktion auf die sehr lasche Cyber-Sicherheitsstrategie der GW
Bush-Regierung gefordert worden.
Vgl. etwa RF unter http://archive.infopeace.de/infowar.de/msg03232.html
Die Frage ist nur: Wie soll man kontrollieren, ob sich irgendjemand
daran hält?
RB


http://www.businessweek.com:/print/technology/content/nov2002/tc20021111_2402.htm?tc

Business Week Online NOVEMBER 11, 2002 

SECURITY NET 
 By Alex Salkever 

 Computer Break-Ins: Your Right to Know

 California law now demands that the public be informed when government
or corporate databases are breached. It's about time

 In April, 2002, hackers broke into the payroll database for the state
of California. For more than a month, cybercriminals rooted around in
the personal information of 265,000 Golden State employees, ranging from
Governor Gray Davis to maintenance workers and clerks. 

 Worse, the California Controller's Office, which ran the database,
failed to notify state employees for more than two weeks after the
breach was discovered. Although officials with the Controller's office
insisted the break-in probably hadn't resulted in any significant harm,
the incident enraged Golden State pols and employees, whose Social
Security numbers, bank account information, and home addresses were fair
game for the hackers. 

 This lapse sparked what may mark a dramatic shift in legal policy
toward cybersecurity. Over strenuous objections from the business lobby,
on Sept. 26 California enacted a sweeping measure that mandates public
disclosure of computer-security breaches in which confidential
information may have been compromised. The law covers not just state
agencies but private enterprises doing business in California. Come July
1, 2003, those who fail to disclose that a breach has occurred could be
liable for civil damages or face class actions (click here for more
information on the legislation, bill number SB 1386). 

 LEAPFROGGING D.C.  According to legal experts, this is the first state
law of its kind. And because of California's size and prominent role in
the high-tech industry, it could create a de facto national disclosure
policy. What's more, the California law leapfrogs efforts by industry
and White House cybersecurity chief Richard Clarke to create an amnesty
policy designed to encourage companies to share information about
breaches with law enforcement. That policy, which is written into the
still-pending House version of the Homeland Security Act, would exempt
from the U.S. Freedom of Information Act any information about security
breaches that's shared with the federal government. 

 I think the California law is long overdue. In far too many instances,
companies and governments have kept mum after they were hacked, seeking
to preserve their reputations and avoid public outcry while their
customers face risk of identity theft. Computer-security breaches must
be treated like any other issue of public safety, and people must be
informed when they're at risk. 

 The bill cuts to the quick of what has been an extremely contentious
issue in the computer-security field. Businesses and many
law-enforcement personnel argue that disclosing security breaches to the
public could affect legal cases and disrupt investigations. It also
would make companies more reluctant to share information on cyberattacks
-- making it harder to fight hackers. 

 NUISANCE SUITS.  "Because businesses currently fear sharing information
about cyberattacks, they're holding information back. Because of that,
we're less equipped at the government level and the industry level to
figure out where our vulnerabilities are great and how to address them,"
says Mario Correa, director of Internet and security policy for the
Business Software Alliance, a high-tech trade group. 

 Legal experts fear that the law could unleash a torrent of nuisance
litigation. "A statute like California's is going to give rise to untold
number of class actions, some of them created by aggressive plaintiff
lawyers," says Jeffrey D. Neuburger, an expert in technology law and a
partner at New York City firm Brown Raysman Millstein Felder &
Steiner. "It won't serve the public's interest." 

 Consumer groups strongly disagree. Consumer Union, the self-styled
advocacy group that helped craft the California bill, argues that if the
public doesn't know what's going on, people can't protect themselves
from crimes such as identity theft and credit-card fraud. Even if it
appears that a breach hasn't resulted in major exposures of critical
information, such as Social Security or bank-account numbers, the
reality is that it's impossible to know for sure whether intruders have
grabbed any sensitive data. 

 THE NET REMEMBERS.  "We can't protect ourselves if we don't know what's
being done with our information," says Gail Hillebrand, a senior
attorney at CU. She rightly points out that timely notification would
allow victims to warn the three big credit-reporting agencies to watch
out for strange activity on their accounts or to give victims time to
request a new driver's license or credit-card number, or open a new bank
account. 

 The Internet's elephantine memory is also a concern. Nothing that makes
it onto the Net in a digital format ever really disappears. "As our
information exists in more databases, we are exposed to more risks of
identity theft," says Hillebrand. She thinks a salutary benefit of the
legislation would be companies and agencies putting a higher priority on
data security and taking more preventive action. "We always hear there
will be litigation, but the best way to avoid litigation is to have good
prevention in place," says Hillebrand. 

 Most businesses that get hacked surely do the right thing and inform
customers. Also, the idea of allowing companies to quietly share
technical information on breaches with investigators clearly has merit.
In some instances, law enforcement's claims that full disclosure will
ruin investigations are valid. For that reason, the California law
includes a clause suspending full disclosure if such a move would harm
an investigation. 

 Under any other circumstance, however, the public's right to know
should trump a company or government's right to save face or money.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.