Forced admissions of poor security

It hasn’t been a good few months for San Diego computer security fans. Back in December, San Diego State University reported computer hackers might have accessed private records on more than 175,000 students, alumni and employees over the Internet. Last month, someone broke into computers at the San Diego Supercomputer Center.

On top of all that, it turns out that private records, including Social Security numbers and driver’s license numbers of more than 350,000 University of California, San Diego applicants, students, faculty and employees might have been exposed to Internet-based hackers sometime before mid-April when the break-in was discovered.

UCSD has been aggressive about letting the affected people know about the possible exposure of their private information – information that would be quite helpful to identity thieves. The university issued a press release and set up a special Web site to provide information and help.

But this aggressiveness to notify people that their identity might be in the process of being stolen might not be entirely because of UCSD’s sense of doing the right thing. Not quite a year ago the California Database Breach Disclosure Act went into effect (also see Making the worst of a bad situation). This act requires that California residents be told if personal data about them might have been exposed during a computer break-in. There does seem to have been a cluster of security problems in San Diego, but maybe the reality is that this type of exposure is quite commonplace. Maybe it’s only the disclosure act that lets us know about the problems. And keep in mind that the act only covers organizations that conduct business in California. A scary thought.

There’s a very easy workaround for the California act – keep your data encrypted. The disclosure act specifically exempts exposures of encrypted data from the notification rules. So if you don’t want to fix the security of your systems so they don’t get hacked and so unauthorized people inside your company cannot access the private information, then just encrypt the data. It’s not a bad idea to keep this data encrypted even if you think you have good security.

Some things remain fuzzy about the disclosure act. For example, it applies to “any person or business conducting business in California.” Does it apply to a New Jersey Web site selling socks over the Internet to a person located in Georgia but whose voting address is in California? How about selling the socks to someone living in San Francisco? If it does apply, how would California enforce the rules?

What quality of encryption is required for someone to be exempt? Would encrypting using ROT13 work?

Forced honesty is better than none, which seems to be the default for too many corporate lawyers when confronted with an embarrassing situation. It would be better to design and run things so the embarrassing situation doesn’t arise at all.

Disclaimer: From what I understand, the Harvard Business and Law schools have classes on “when honesty is the best policy,” but they did not comment on this topic.