The law is far reaching and is likely a bit of overkill. However, it is a move in the right direction. I see two primary benefits, both of which are necessary to begin to get a handle on "Internet Security".

Number 1, it encourages reporting cyber breaches to Law Enforcement. I am pretty confident that most Police/Law Enforcement departments will say, "Please don't release information during our investigation", giving the company the time to perform PR, as the article stated. In this case, Following the Law, lets you get Around the Law - in that disclosure may not be immediately necessary. One side note, I certainly do think discretely informing CA residents would turn out cheaper and easier that informing all customers. Companies will continue to believe the less that know, the better.

Number 2, it will get companies thinking that if their customer information is stolen, the customer has a right to know - so they can protect themselves from identity theft. Anyone who has been a victim to it knows of its horrors and pains.

As an aside, one reply mentioned that this may encourage firms not to perform network security at all. I don't see that happening, as if companies hold customer information at all (any info, credit card numbers, billing info, mailing address, social security numbers, anything) they are obligated to protect it. Failure to do so - or to at least meet some sort of business standard - would leave them potentially open to a class action lawsuit.

- Ajay Gupta, CISSP

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/1984/17563#17563