[LINK] California requires disclosure of cracks

[Jan Whitaker]

At 10:22 AM 15/11/02 +1100, M. da Cruz wrote:
>The disclosure of computer-security breaches would fall within the scope
>of the standard. So, I'd be interested in an exchange of views.
>
>I'm not convinced that public disclosure is useful, perhaps an incident
>report to ASIC (for publically listed companies)/NOIE (government
>agencies) including a remedial action plan would be appropriate.

I reckon public disclosure is critical from some industries:
- banking definitely
- those that have access to my personal info in databases and that is what 
was broken into

I really don't care if a commercial enterprise's servers are broken into 
from a perspective of member of the public if the info is theres and not 
mine.  BUT if there are patterns of breaches, perhaps it's something that 
INVESTORS should be made aware of - it's an operational problem that may 
affect access to confidential business information and jeopardise the 
company's future.

So just as there are different types of information, there are probably 
different levels of 'need to know' or interest on the 'who should be told 
it happened' list.

A solution would be to have a requirement for reporting breaches to a 
disinterested third party, not really a regulator directly, with rules in 
the standard that says the types of people who must be notified and in what 
way based on the type of information and need to know class of person.

I'll leave it to some others to add levels of complexity.... :-)

Jan


JLWhitaker Associates
Melbourne, Victoria, Australia
jwhit@primenet.com  --  http://www.primenet.com/~jwhit/whitentr.htm