Interesting bit of a quote

David Wagner writes:
-+------------------
 | dangeer.com writes:
 | >I can corroborate the quote in that much of SarbOx
and
 | >other recent regs very nearly have a guilty unless
proven
 | >innocent quality, that banks (especially) and others
are
 | >called upon to prove a negative: X {could,did} not
happen.
 | >California SB1386 roughly says the same thing: If you
cannot
 | >prove that personal information was not spilled, then
you
 | >have to act as if it was.
 | 
 | No, it doesn't.  I think you've got it backwards. 
That's not what SB1386
 | says.  SB1386 says that if a company conducts business in
Caliornia and
 | has a system that includes personal information stored in
unencrypted from
 | and if that company discovers or is notified of a breach
of the security
 | that system, then the company must notify any California
resident whose
 | unencrypted personal information was, or is reasonably
believed to have
 | been, acquired by an unauthorized person. [*]
 | <snip>

Been with a reasonable number of General Counsels
on this sort of thing.  Maybe you can blame them
and not SB1386 for saying that if you cannot prove
the data didn't spill then it is better corporate
risk management to act as if it did spill.  All I know
is that the GCs, or for that matter the newspapers,
are full of stories about, say, buying credit-watch
services for everyone who could conceivably be at
any non-zero risk.  "Conceivably at non-zero
risk"
maps to "prove a negative" at least as I mean it
here.
This may be, in other words, de facto versus de jure
and your interpretation may be the correct one.  It
doesn't seem so to me, but YMMV.

And, yes, SarbOx is worse. 

--dan


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com