It hasn't been a good few months for San Diego computer security fans. Back in December, San Diego State University reported computer\u00a0hackers might have accessed private records\u00a0on more than 175,000 students, alumni and employees over the Internet. Last month, someone\u00a0broke into computers at the San Diego Supercomputer Center.On top of all that, it turns out that private records, including Social Security numbers and driver's license numbers of more than 350,000 University of California, San Diego applicants, students, faculty and employees might have been\u00a0exposed to Internet-based hackers sometime before mid-April\u00a0when the break-in was discovered.UCSD has been aggressive about letting the affected people know about the possible exposure of their private information - information that would be quite helpful to identity thieves. The university issued\u00a0a press release\u00a0and set up\u00a0a special Web site\u00a0to provide information and help.But this aggressiveness to notify people that their identity might be in the process of being stolen might not be entirely because of UCSD's sense of doing the right thing. Not quite a year ago the\u00a0California Database Breach Disclosure Act\u00a0went into effect (also see\u00a0Making the worst of a bad situation). This act requires that California residents be told if personal data about them might have been exposed during a computer break-in. There does seem to have been a cluster of security problems in San Diego, but maybe the reality is that this type of exposure is quite commonplace. Maybe it's only the disclosure act that lets us know about the problems. And keep in mind that the act only covers organizations that conduct business in California. A scary thought.There's a very easy workaround for the California act - keep your data encrypted. The disclosure act specifically exempts exposures of encrypted data from the notification rules. So if you don't want to fix the security of your systems so they don't get hacked and so unauthorized people inside your company cannot access the private information, then just encrypt the data. It's not a bad idea to keep this data encrypted even if you think you have good security.Some things remain fuzzy about the disclosure act. For example, it applies to "any person or business conducting business in California." Does it apply to a New Jersey Web site selling socks over the Internet to a person located in Georgia but whose voting address is in California? How about selling the socks to someone living in San Francisco? If it does apply, how would California enforce the rules?What quality of encryption is required for someone to be exempt? Would encrypting using\u00a0ROT13\u00a0work?Forced honesty is better than none, which seems to be the default for too many corporate lawyers when confronted with an embarrassing situation. It would be better to design and run things so the embarrassing situation doesn't arise at all.Disclaimer: From what I understand, the Harvard Business and Law schools have classes on "when honesty is the best policy," but they did not comment on this topic.