Interesting bit of a quote
David Wagner
daw at cs.berkeley.edu
Tue Jul 11 20:50:06 EDT 2006
dan at geer.com writes:
>I can corroborate the quote in that much of SarbOx and
>other recent regs very nearly have a guilty unless proven
>innocent quality, that banks (especially) and others are
>called upon to prove a negative: X {could,did} not happen.
>California SB1386 roughly says the same thing: If you cannot
>prove that personal information was not spilled, then you
>have to act as if it was.
No, it doesn't. I think you've got it backwards. That's not what SB1386
says. SB1386 says that if a company conducts business in Caliornia and
has a system that includes personal information stored in unencrypted from
and if that company discovers or is notified of a breach of the security
that system, then the company must notify any California resident whose
unencrypted personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. [*]
If you know or are notified that the security of your system has been
breached and if you know or have some reason to believe that someone
has received unauthorized access to unencrypted personal information
about California residents, then sure, you have to act on the presumption
that the personal information was spilled. So what? That seems awfully
reasonable to me.
In short, my reading of SB1386 is that companies only have to notify
customers if (a) they know or are notified of a security breach and
(b) they know or have reason to believe that this breach led to an
unauthorized disclosure of personal information. In other words, SB1386
treats companies as innocent until there is some reason to believe that
they are guilty. I don't know anything about SOX, but I think you've
mis-characterized SB1386. Don't tar SB1386 with SOX-feathers.
[*] This is pretty close to an direct quote from Section 1798.82(a)
of California law. See for yourself:
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list