[LINK] California requires disclosure of cracks
Sun Nov 17 21:20:26 EST 2002
At 10:22 AM 15/11/02 +1100, M. da Cruz wrote:
>The disclosure of computer-security breaches would fall within the scope
>of the standard. So, I'd be interested in an exchange of views.
>I'm not convinced that public disclosure is useful, perhaps an incident
>report to ASIC (for publically listed companies)/NOIE (government
>agencies) including a remedial action plan would be appropriate.
I reckon public disclosure is critical from some industries:
- banking definitely
- those that have access to my personal info in databases and that is what
was broken into
I really don't care if a commercial enterprise's servers are broken into
from a perspective of member of the public if the info is theres and not
mine. BUT if there are patterns of breaches, perhaps it's something that
INVESTORS should be made aware of - it's an operational problem that may
affect access to confidential business information and jeopardise the
So just as there are different types of information, there are probably
different levels of 'need to know' or interest on the 'who should be told
it happened' list.
A solution would be to have a requirement for reporting breaches to a
disinterested third party, not really a regulator directly, with rules in
the standard that says the types of people who must be notified and in what
way based on the type of information and need to know class of person.
I'll leave it to some others to add levels of complexity.... :-)
Melbourne, Victoria, Australia
email@example.com -- http://www.primenet.com/~jwhit/whitentr.htm
More information about the Link