Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Subscribe
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Subscribe
    Home Latest News
    • Storage

    Chicken Little Law

    Written by

    Peter Coffee
    Published July 14, 2003
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      As of July 1, Californias Security Breach Information Act mandates disclosure of data security incidents. By promising more than it delivers, by inducing more customer concern than increased confidence and by ultimately making people less sensitive than they are now to warnings of data insecurity, the act is likely to demonstrate the law of unintended consequences—unless IT professionals add their judgment to its inadequate mandates.

      At a minimum, the prudent IT administrator will take the necessary steps to avoid embarrassing and costly violations of this law—and also of its possible imitations in other states or at the federal level.

      The act requires any entity doing business in California “that owns or licenses computerized data that includes personal information” to disclose “any breach of the security of the data … to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Use of encrypted data storage confers complete protection from penalties under this law, in itself not a bad thing: Its high time that data custodians took responsibility for defense in depth of the sensitive information in their charge, but it would be a setback for IT security if this became the codification of good and sufficient care.

      To be sure, Internet users have for too long been led to believe that online transaction security is adequately protected by link encryption. People have been taught to look for the padlock icon or other indicator that a browser displays when engaged with an e-commerce site as their assurance of safety. About 10 years ago, a Purdue University professor, Eugene Spafford, put that misconception in its place with his comment that “using encryption on the Internet is the equivalent of using an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.”

      Its clearly a waste of time to secure the link between two points if the end points are themselves unprotected. Opportunistic theft of customer or citizen data, by someone with simple physical access to a server with a 3.5-inch floppy drive, is the kind of thing that data-store encryption is likely to discourage—and that, to be fair, this law may therefore actually reduce.

      Despite a search of the legislations text, though, I can find no statement of the quality of crypto thats needed to earn exemption from the law. Weak crypto algorithms or poor implementations of good algorithms or poorly administered deployments of even robust crypto products are equally hollow in their promises of protection. If the password is the administrators mothers maiden name, the key length doesnt much matter—but under this California law, at least until case law says differently, it looks to me as if the data is still considered “encrypted.”

      Dont let yourself become the test case that defines lack of reasonable care. Passwords of reasonable length, meeting reasonable tests of complexity and frequency of change, arent the leading edge of security practice. Dont let their lack become the cutting edge that decapitates your credibility with customers and supply chain partners.

      At the same time, Im concerned that mandated disclosures of possible data theft will become a constant assault on use confidence. In California this is already the norm: When you walk into a restaurant, youre greeted by an appetite-suppressing warning that “Chemicals Known To The State Of California To Cause Cancer, or Birth Defects or Other Reproductive Harm May Be Present In Foods or Beverages Sold or Served Here.” Similar warnings are given at any number of public establishments where carcinogenic chemicals are used—even if only in nonthreatening amounts. Everyone sees these signs, and no one notices them any more. It looks as if the state is headed down that road again.

      Warning people too often, without a context for balancing risks and benefits, is as bad as failing to warn them at all—unless your goal is to pass a law, the purpose of which is to make it look like youve done something. IT professionals must provide the sober perspective that no useful system can be totally secure.

      Peter Coffee can be reached at [email protected].

      Peter Coffee
      Peter Coffee
      Peter Coffee is Director of Platform Research at salesforce.com, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.