Interesting bit of a quote

dan at geer.org dan at geer.org
Tue Jul 11 21:08:14 EDT 2006


David Wagner writes:
-+------------------
 | dan at geer.com writes:
 | >I can corroborate the quote in that much of SarbOx and
 | >other recent regs very nearly have a guilty unless proven
 | >innocent quality, that banks (especially) and others are
 | >called upon to prove a negative: X {could,did} not happen.
 | >California SB1386 roughly says the same thing: If you cannot
 | >prove that personal information was not spilled, then you
 | >have to act as if it was.
 | 
 | No, it doesn't.  I think you've got it backwards.  That's not what SB1386
 | says.  SB1386 says that if a company conducts business in Caliornia and
 | has a system that includes personal information stored in unencrypted from
 | and if that company discovers or is notified of a breach of the security
 | that system, then the company must notify any California resident whose
 | unencrypted personal information was, or is reasonably believed to have
 | been, acquired by an unauthorized person. [*]
 | <snip>

Been with a reasonable number of General Counsels
on this sort of thing.  Maybe you can blame them
and not SB1386 for saying that if you cannot prove
the data didn't spill then it is better corporate
risk management to act as if it did spill.  All I know
is that the GCs, or for that matter the newspapers,
are full of stories about, say, buying credit-watch
services for everyone who could conceivably be at
any non-zero risk.  "Conceivably at non-zero risk"
maps to "prove a negative" at least as I mean it here.
This may be, in other words, de facto versus de jure
and your interpretation may be the correct one.  It
doesn't seem so to me, but YMMV.

And, yes, SarbOx is worse. 

--dan


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list