Chicken Little Law

Disclosure legislation overwarns, underprotects.

As of July 1, Californias Security Breach Information Act mandates disclosure of data security incidents. By promising more than it delivers, by inducing more customer concern than increased confidence and by ultimately making people less sensitive than they are now to warnings of data insecurity, the act is likely to demonstrate the law of unintended consequences—unless IT professionals add their judgment to its inadequate mandates.

At a minimum, the prudent IT administrator will take the necessary steps to avoid embarrassing and costly violations of this law—and also of its possible imitations in other states or at the federal level.

The act requires any entity doing business in California "that owns or licenses computerized data that includes personal information" to disclose "any breach of the security of the data ... to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Use of encrypted data storage confers complete protection from penalties under this law, in itself not a bad thing: Its high time that data custodians took responsibility for defense in depth of the sensitive information in their charge, but it would be a setback for IT security if this became the codification of good and sufficient care.

To be sure, Internet users have for too long been led to believe that online transaction security is adequately protected by link encryption. People have been taught to look for the padlock icon or other indicator that a browser displays when engaged with an e-commerce site as their assurance of safety. About 10 years ago, a Purdue University professor, Eugene Spafford, put that misconception in its place with his comment that "using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."

Its clearly a waste of time to secure the link between two points if the end points are themselves unprotected. Opportunistic theft of customer or citizen data, by someone with simple physical access to a server with a 3.5-inch floppy drive, is the kind of thing that data-store encryption is likely to discourage—and that, to be fair, this law may therefore actually reduce.

Despite a search of the legislations text, though, I can find no statement of the quality of crypto thats needed to earn exemption from the law. Weak crypto algorithms or poor implementations of good algorithms or poorly administered deployments of even robust crypto products are equally hollow in their promises of protection. If the password is the administrators mothers maiden name, the key length doesnt much matter—but under this California law, at least until case law says differently, it looks to me as if the data is still considered "encrypted."

Dont let yourself become the test case that defines lack of reasonable care. Passwords of reasonable length, meeting reasonable tests of complexity and frequency of change, arent the leading edge of security practice. Dont let their lack become the cutting edge that decapitates your credibility with customers and supply chain partners.

At the same time, Im concerned that mandated disclosures of possible data theft will become a constant assault on use confidence. In California this is already the norm: When you walk into a restaurant, youre greeted by an appetite-suppressing warning that "Chemicals Known To The State Of California To Cause Cancer, or Birth Defects or Other Reproductive Harm May Be Present In Foods or Beverages Sold or Served Here." Similar warnings are given at any number of public establishments where carcinogenic chemicals are used—even if only in nonthreatening amounts. Everyone sees these signs, and no one notices them any more. It looks as if the state is headed down that road again.

Warning people too often, without a context for balancing risks and benefits, is as bad as failing to warn them at all—unless your goal is to pass a law, the purpose of which is to make it look like youve done something. IT professionals must provide the sober perspective that no useful system can be totally secure.

Peter Coffee can be reached at