|
California's powerful privacy law is slowly trickling down to other states, who are adopting its principles, though some with modifications. Washington state adopted a modified version of the law on March 8, 2005. While it expands its scope, it seriously undermines its spirit, potentially rendering the law virtually useless.
California 1386 Privacy law stipulates that any private organization handling sensitive data must notify individuals if there has been unauthorized access to these systems. This law was applicable to any organization handling California customers, whether the company was located within or outside the state.
According to StongAuth, Inc. newsletter, without this law the following breaches would not have been divulged to millions of individuals whose identities were at risk:
Polo, Ralph Lauren - April 15, 2005; 180,000 identities affected UC San Francisco - April 6, 2005; 7,000 identities
UC Davis - April 5, 2005; 1,100 identities UC Berkeley - March 29, 2005; 96,000 identities Kellogg (NWU) - March 20, 2005 - 3,500 identities Boston College - March 17, 2005; 100,000 identities California State University - March 16, 2005; 59,000 identities DSW - March 10, 2005; 1.4 million identities Lexis-Nexis - March 9, 2005; 310,000 identities Bank of America - February 25, 2005; 1.2 million identities
Washington state adopted its own modified version on March 8, 2005 called WA SSB 6043. This law differs from the California version in two respects:
It's scope is expanded to also apply to government and other public institutions It allows institutions to apply discretion regarding disclosure based on whether or not they think the breach could result in criminal mischief.
The latter modification is significant because the law provides virtually no guidance as to how organizations will make this determination. Here are some disturbing scenarions to consider:
Backup tapes from a storage transport truck are found missing. The company purposefully limits the amount of resources put to investigation so as to render onlya judgement that the tapes were lost, rather than stolen. Therefore the company could plausibly deny that criminal activity is possible and deem that it is under no obligation for disclosure.
A company is hit with a SQL Slammer type attack that destroys data and logs. Since the company has no record that the data was ever transferred outside the company they determine that being that the purpose of the attack was to destroy data, discounting that the purpose of the data destruction was the objective of the attack rather than a way for an attacker to misdirect the investigation by covering his tracks. Therefore the company could plausibly deny that criminal activity was possible and could deem that it is under no obligation for disclosure.
A contracted outsourcing company in India downloads private customer data for the purposes of testing. One of their employees quits and walks off with copies of the source code, including test data. The main company demands legal action but the outsourced company refuses to pursue. Having no recourse to pursue through international law, the main company severs the business relationship. Since the breach took place at another company, during which time the relationship with the main company and outsourcing company were specific and legitimate, the main company could plausibly deny its knowledge of any potential wrongdoing and could therefore deem it was under no obligation to disclose.
These scenarios are not far fetched. Tapes were recently found missing from a UPS truck, SQL Slammer had administrative access to almost every unpatched system in the world running the database or the MSDE, and another company was dismayed to find it had no recourse to pursue legal retribution when a fired outsourced company employee walked off with their proprietary code in another country.
"Plausible" deniability can and will be manufactured as needed by companies who seek to to limit their liability and public exposure due to security mishaps. It's up to audit and IT professionals to do what they can to help keep their companies focused on doing the right thing.
(c) Bar Biszick-Lockwood/QualityIT, Redmond, WA, 2005
|
