New California law forces companies to disclose hacking

Posted by: Ice

New California law forces companies to disclose hacking - 06/23/03 07:27 PM

Its about time companies started warning there customers of potention identity theft

=====

California consumers will learn next month whether their favorite shopping sites are steeled against computer fraud -- or haunts of hackers and identity thieves.

Starting July 1, companies must warn California customers of security holes in their corporate computer networks. When a retailer discovers its credit card numbers have been stolen, it must e-mail customers, essentially saying, ``We've been hacked, and the hacker may have your credit card number.''

Local politicians call the regulation the first of its kind in the United States, and it could become the model for a nationwide law. U.S. Sen. Dianne Feinstein plans to introduce similar legislation within a month.

``Corporate and government databases are increasingly becoming targets of identity thieves seeking Social Security numbers and other sensitive personal data,'' the California Democrat said in an e-mail. ``Under current law, all too often people are unaware that an identity thief has gained this information and may be using it to run up credit card bills or use it to manufacture a new identity.''

California's new regulation contrasts with the Bush administration's hands-off treatment of the technology industry, particularly when it comes to controversial e-commerce issues such as privacy and fraud.

Although the FBI and Federal Trade Commission have hunted down Web site operators involved in fraudulent sales and auctions, proponents of the laissez-faire approach worry that regulations would hamper innovation in a fledgling industry.

``You cannot legislate good behavior,'' said eBay chief security officer Howard Schmidt, who resigned this spring as a top cybersecurity adviser to President Bush. ``The administration's policy was not to look to legislation or regulation to improve security but to look to market forces to drive it.''

But many technology executives and legal experts applaud the bold attempt to crack down on identity theft, one of the fastest growing crimes.

The U.S. Postal Service reports that 50,000 people a year have become victims of identity theft, and the U.S. Treasury Department says thieves ring up $2 billion to $3 billion per year on stolen credit cards alone. As victims expend hours or days canceling debit and credit cards, obtaining new ones and re-establishing accounts and passwords, corporate America loses billions of dollars more in productivity.

Proponents say the California bill makes executives more accountable for computer fraud. It doesn't impose specific monetary fines, but the regulation makes companies with questionable computer networks more vulnerable to lawsuits and public scorn.

``It's a wake-up call for companies to make major, across-the-board changes in every part of the company,'' said Nick Akerman, an attorney specializing in computer fraud in the New York office of Dorsey & Whitney. ``Companies are afraid to report breaches because they think it reflects badly on them, and they don't want the bad publicity of becoming known as a company that's been hacked into. This bill says, 'You can't continue business as usual.'''

The regulation applies to any company that stores data electronically and does business in California. Companies must alert customers whenever ``unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.''

The bill defines ``personal information'' as an individual's first name or initial and last name, with one of the following: Social Security number; driver's license number; state identification number; or credit or debit card account number and security code.

Except when disclosure would impede a criminal investigation, companies must notify consumers ``in the most expedient time possible,'' with an e-mail or letter.

If a hacker gains access to data for 500,000 or more customers, the company might have to notify people through e-mail, a ``conspicuous'' posting on a Web site and disclosure to a major media outlet.

Some say the bill does for computer security what the Sarbanes-Oxley Act tried to do for accounting. Bush signed it into law in 2002 after scandals at Enron and WorldCom as an attempt to legislate corporate ethics by making companies disclose shortcomings in financial reporting.

``Before the regulation, you would have had an 'Oh, my God' response and worried maybe that your boss would get angry with you,'' Matt Stevens, a vice president at Walpole, Mass.-based database security company Network Intelligence, said of the California bill. ``Now there's a corporate malfeasance issue.''

Amazon.com, Land's End, REI and numerous other companies with extensive databases would not comment on the bill. Dell Computer, which sells 50 percent of its goods online, said it applauds the regulation.

``This legislation codifies what we've had in place for a long time,'' spokeswoman Cathie Hargett said. ``In those very, very rare cases we believe customer information has been compromised, we tracked who was affected ... and alerted them by e-mail -- simply because we think it's good business practice. They appreciate the notification.''

Sending e-mails to customers is daunting, but sending alerts to newspapers and wire services truly panics e-commerce executives, said Peggy Weigle, chief executive of Santa Clara-based security company Sanctum Inc. The regulation would treat computer vulnerabilities like automobile recalls -- critical safety data that must not be kept from the public.

``The public has been under the impression that the transactions they're doing online are really secure,'' Weigle said. ``That's because most businesses don't call up the San Francisco Chronicle and say, 'We just had a quarter million credit cards stolen.' That info never sees the light of day -- until this regulation takes effect.''

Nearly half of the 530 companies and government agencies polled in January by the FBI and San Francisco-based Computer Security Institute acknowledged their networks had been the victim of an unauthorized, internal hacker in the past year, and unauthorized outsiders penetrated more than one in three companies.

It's unclear whether the alarming level of computer fraud will result in so many warnings that consumers ignore them.

Andy Carvin, an e-commerce enthusiast in Washington, D.C., would like a national version of the California bill. Carvin discovered his credit card information was stolen two years ago, when Visa called to ask whether he ordered $3,000 in personal computers and moved to the Philippines. He suspects a hacker stole data during an online transaction.

``It would have been great if one of the airlines where I had bought tickets or Amazon.com or MacWarehouse had sent a letter with some useful advice,'' Carvin said. ``I'd feel they wanted to help me.''

======
Article was found here
http://www.siliconvalley.com/mld/siliconvalley/news/editorial/6151122.htm