In April, 2002, hackers broke into the payroll database for the state of California. For more than a month, cybercriminals rooted around in the personal information of 265,000 Golden State employees, ranging from Governor Gray Davis to maintenance workers and clerks.
Worse, the California Controller’s Office, which ran the database, failed to notify state employees for more than two weeks after the breach was discovered. Although officials with the Controller’s office insisted the break-in probably hadn’t resulted in any significant harm, the incident enraged Golden State pols and employees, whose Social Security numbers, bank account information, and home addresses were fair game for the hackers.
This lapse sparked what may mark a dramatic shift in legal policy toward cybersecurity. Over strenuous objections from the business lobby, on Sept. 26 California enacted a sweeping measure that mandates public disclosure of computer-security breaches in which confidential information may have been compromised. The law covers not just state agencies but private enterprises doing business in California. Come July 1, 2003, those who fail to disclose that a breach has occurred could be liable for civil damages or face class actions.
Here is Slashdot’s very perceptive take on the new law:
” IMHO Big companies will have the resources to set up investigations even when they know it is unlikely to get anywhere, and business will go on as usual for them. Small businesses that don’t have the resources to maintain an investigation will have their reputations ruined. Also, the article doesn’t mention the contingency where a break-in occurs because of a software/hardware issue for which there is no released technical solution (i.e. anyone else who has software X would be susceptible to the same type of break-in). This is not good.”
Another Slashot comment on the story:
“Microsoft (Nasdaq: MSFT) filed documents with the SEC today relating to a breach of network security.
According to the filings, at 5:23 AM last Tuesday, Microsoft’s network was “owned” by a hacker calling himself “Z3r0 kew10r”. While the hacker refered to himself as “1337” in his defacement of Microsoft’s webpage, Microsoft CEO Bill Gates indicated that the security breach was very minor.
In a press release accompanying the filing, Gates said: “t#1s punk th1nks h3’s 1337 but h3’s just a littl3 scr1p7 k1dd13 and i’m g0nna sh0w h1m what 1337 is when m3 and the M$ haxx0r cr3w crak his b0xx0r!” “