Regulating The Hacker Chase
Arik Hesseldahl

NEW YORK - It's getting tougher to keep quiet about hacking incidents.

In April 2002, someone, no one yet knows who, penetrated the security of the computer that stored California state government payroll records.

Among the details stored in the compromised computer files were personal and financial information on some 265,000 employees, including the state's lawmakers in Sacramento. The incident wasn't detected for about a month. The state employees whose files were breached didn't find out about it until more than six weeks after it had occurred.

No surprise that it took angry legislators only five months to draft a law that went into effect this past July--Senate Bill 1386, the California Information Practices Act. If you sell anything to anyone in California, it affects you.

The law contains a provision that requires companies with customers in California to inform those customers when they detect computer break-ins that could put their personal data at risk.

Companies need not have offices in California to be affected by the law, nor must affected computers be located within the states' borders. The implications are obvious, from huge online retailers like Amazon.com (nasdaq: AMZN - news - people ) and eBay (nasdaq: EBAY - news - people ), to banks like Citigroup (nyse: C - news - people ) and Wells Fargo (nyse: WFC - news - people ), or pretty much anyone maintaining a computer database of customer information and with customers who live in California.

This law affects nearly every company in the U.S. and many companies around the world, says Kevin Nelson, vice president and co-founder at Threat Focus, a computer security consulting firm in Tustin, Calif.

It's just the latest, and surely not the last in what will no doubt become a confusing maze of regulatory requirements centered on information security.

The idea is to put in place a basic security standard, but the better approach is to augment those standards with some kind of incentive, says Joseph Ansanelli, chief executive of Vontu, a San Francisco-based producer of computer security software. Right now there's nothing but a disincentive to disclose a breach because it's a good way to get sued. Right now people are trying to figure this out.

One good step might be to watch out for misuse of access by internal employees. In June, a Vontu survey of 500 workers and managers with access to sensitive customer information found that two-thirds of them believe co-workers on the inside, not criminal hackers from the outside, pose the greatest risk to customer data.

In the case of California's law, it is the disclosure requirement that can give executives night sweats, especially for those who sell products online. No company wants to puncture their own reputation as a safe place to shop online. That's why for every computer intrusion you hear about the media, there are literally hundreds that go unreported.

A recent survey of 530 computer security professionals at large companies, government agencies, universities and medical institutions by the San Francisco-based Computer Security Institute found that 56% had detected some kind of attack on their networks in the previous 12 months. And the number of attacks is growing. For the first three-quarters of this year, the CERT Coordination Center at Carnegie Mellon University in Pittsburgh has recorded nearly 115,000 reported incidents, a 40% increase from incidents reported in all of 2002.

But of those who suffered serious attacks, only 30% polled in the survey reported them to law enforcement. The most common reason cited? Seventy percent of respondents said they didn't want the negative publicity. Worse, more than half-- 53%--didn't even know they could report the incident to law enforcement.

So far, the California law hasn't produced any shocking headlines. As yet no one has come forward to report computer intrusions that would apply under the law. The law requires that companies notify customers living in California by e-mail or by postal mail even if there's a possibility that that customer's personal data has been compromised. Failure to comply leaves companies open to civil penalties and class-action lawsuits.

If California ever really goes after a company for violating this law, it will take years to work its way through the courts, Nelson says.

Ignore the California law for now if you wish, but U.S. federal lawmakers are getting in on the game, too. California's Democratic Sen. Dianne Feinstein in June introduced the Notification of Risk to Personal Data Act, which is modeled on the California law. It requires all U.S. businesses and government agencies to notify customers of a network security breach, and carries penalties of $5,000 per violation or up to $25,000 per day.

That's not all. One bill being floated by Rep. Adam Putnam, a Florida Republican, would require companies covered by the Sarbanes-Oxley Act to prove they've had annual computer security assessments. On his list of top 20 contributors is business consulting firm Accenture (nyse: ACN - news - people ), which offers, among other services, computer security assessments. Among the top ten trends to watch in computer security by Accenture? Oddly enough, an increase in government regulation.


forbes.com