[EMAIL PROTECTED] writes: >I can corroborate the quote in that much of SarbOx and >other recent regs very nearly have a guilty unless proven >innocent quality, that banks (especially) and others are >called upon to prove a negative: X {could,did} not happen. >California SB1386 roughly says the same thing: If you cannot >prove that personal information was not spilled, then you >have to act as if it was.
No, it doesn't. I think you've got it backwards. That's not what SB1386 says. SB1386 says that if a company conducts business in Caliornia and has a system that includes personal information stored in unencrypted from and if that company discovers or is notified of a breach of the security that system, then the company must notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [*] If you know or are notified that the security of your system has been breached and if you know or have some reason to believe that someone has received unauthorized access to unencrypted personal information about California residents, then sure, you have to act on the presumption that the personal information was spilled. So what? That seems awfully reasonable to me. In short, my reading of SB1386 is that companies only have to notify customers if (a) they know or are notified of a security breach and (b) they know or have reason to believe that this breach led to an unauthorized disclosure of personal information. In other words, SB1386 treats companies as innocent until there is some reason to believe that they are guilty. I don't know anything about SOX, but I think you've mis-characterized SB1386. Don't tar SB1386 with SOX-feathers. [*] This is pretty close to an direct quote from Section 1798.82(a) of California law. See for yourself: http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]