Second Life Forums Archive - specific questions about SB1386 compliance

paulie Femto

Into the dark

Join date: 13 Sep 2003

Posts: 1,098

09-09-2006 14:01

Background on California SB1386:
http://www.strongauth.com/regulations/sb1386/sb1386Newsletter.html

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

From: someone

Robin LInden: We referred to the California statutes regarding privacy and private information in deciding the best way to respond. If you have questions about specific provisions in the law, please let us know.

Can you address your compliance with SB 1386 Section 2, parts 1798.29 (b) and (c), quoted:

--snip--

(b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data IMMEDIATELY (emphasis mine) following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

(c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation.

--snip--

Specifically, my questions are:

1) Is it Linden Lab's position that a two-day wait in notifying users is in compliance with the statute?

2) Was law enforcement contacted BEFORE users were notified, which seems to be required by the statute?

3) Is a criminal investigation ongoing? I understand that you can't comment on an ongoing investigation, but I believe you are within the law to state whether or not an investigation is in progress.

4) Does Linden Lab maintain, or is Linden Lab planning to maintain, an SB1386 task force?

5) Was Linden Lab aware of SB1386 before the breach? According to the first article quoted at the start of this post, knowingly "minimizing the effort required to manage SB 1386 compliance" could open Linden Lab to class action lawsuits.

6) Does Linden Lab follow, or is Linden Lab planning to implement, an "information security policy" and notification policy as outlined in Section 2, subdivision

, quoted:

--snip--

h) Notwithstanding subdivision (g), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system.

--snip--

It would appear that an existing information security policy *may* allow Linden Lab to claim some wiggle room and still maintain compliance with immediate notification requirements. Maybe. If no policy exists, the recent breach could be damaging to Linden Lab.

Breach of users' personal data is, apparently, not the kind of thing you want to have happen to you as a company in California.

In the interest of fairness and open dialogue, I hope that you can answer these questions here in a public forum, not in private communication with me.

_____________________

REUTERS on SL: "Thirty-five thousand people wearing their psyches on the outside and all the attendant unfettered freakishness that brings."

Robin Linden

Linden Lifer

Join date: 25 Nov 2002

Posts: 1,224

09-10-2006 18:39

I'm checking in with our general counsel to get his thoughts on your questions. Please be patient.

_____________________

Ginsu Linden

Junior Member

Join date: 28 Jul 2005

Posts: 24

09-10-2006 20:06

Paulie, thank you for your detailed question. I am happy to answer your questions in a public forum.

I would first like to address your statement that we had a "two-day wait" in notifying users that personal information may have been acquired by an unauthorized person. This is not correct. In our FAQ email, we gave a clear and neutral statement about the sequence, which I will reprint here (with emphasis added):
-------
Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed.
-------
In other words, we did not believe that customer records might have been acquired from the database until September 8, and in less than 24 hours, we invalidated passwords, made a blog post, contacted the media, posted a security bulletin on our website, and emailed our entire user base. And at this time, we are still not certain that personal information was acquired. We are still trying to determine exactly what kind of information was acquired.

I realize that this last statement will open us up to a whole new class of accusation: "Why are you Linden fools raising all this ruckus if you don't even know what really happened yet?" We're willing to live with that accusation. We understand the value our users place in their privacy, and we believe that it is better to take a very conservative approach in informing the world what has happened, even before we ourselves have all of the facts.

I hope you don't mind if I inject a personal note now. I understand that in this day and age, many people assume the worst about corporate behavior. I understand that a certain kind of mentality always believes there must be a cover-up, a conspiracy, an instinct for "truthiness" over truth. I suppose that there is little we can do at Linden Lab to dispel this atmosphere of suspicion that hangs over all corporations. Nevertheless, I will state for the record that I believe that our actions and intentions in this matter have been beyond reproach. Among my colleagues at Linden, I did not hear a single voice arguing for any action that was not along the lines of rapid and open communication. I believe we have responded quickly, responsibly and with deep sensitivity for the concerns of our customers. I am proud of the way we have responded to this incident.

I wanted to get this out to you as soon as I could. In a subsequent post, I will provide more answers to your detailed questions.

Ginsu Linden

Junior Member

Join date: 28 Jul 2005

Posts: 24

09-10-2006 23:04

I'll continue here on the specific questions regarding California SB 1386. I'd encourage anyone interested in this topic to read the full text of the bill, not just summaries or this discussion. The bill is available here, and as of July 1, 2003, the bill became effective law in California Civil Code Section 1798. Section references below refer to the law, not the bill.

First, I'd note the definition of "personal information" in Section 1798.29

and Section 1798.82

:
------

For purposes of this section, "personal information" means an
individual's first name or first initial and last name in combination
with any one or more of the following data elements, when either the
name or the data elements are not encrypted:
(1) Social security number.
(2) Driver's license number or California Identification Card
number.
(3) Account number, credit or debit card number, in combination
with any required security code, access code, or password that would
permit access to an individual's financial account.
------
Linden Lab does not collect or store Social Security numbers or driver's license numbers (except, in the case of driver's licenses, to confirm identity or age when necessary, in which case the information is reviewed but not stored electronically). The account number for use of Second Life is the avatar name, and was stored in the compromised database in unencrypted form. The account password and credit card number was stored in that database with an MD-5 hash with salt, as explained in the security bulletin FAQ. These are the details which we believe may implicate the state definition of "personal information."

From: someone

1) Is it Linden Lab's position that a two-day wait in notifying users is in compliance with the statute?

As noted [post=1281418]above[/post], there was no "two-day wait" in complying with the statute. I would draw your attention to the words after your emphasis when you quoted the statute, "immediately [your emphasis] following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person [my emphasis]." This states two (alternate) conditions for notification. One is that personal information has been acquired by an unauthorized person. We do not yet know that this is the case. The second condition is that personal information is reasonably believed to have been acquired by an unauthorized person. Whether it's reasonable to believe this at this point is a question that can be debated. We think it's a significant enough possibility that we made the notification. And we made the notification within hours, as described above. I think many people (well, lawyers, anyway) might believe that we are not required to make a notification at all, since it might not be reasonable to believe that personal information was acquired by an unauthorized person. Nevertheless, we are deeply sorry that it's even a possibility, and we feel that we needed to get the information out to our users.

From: someone

2) Was law enforcement contacted BEFORE users were notified, which seems to be required by the statute?

I believe that the sections you are referencing, Sections 1798.29(b) and 1798.82(b), says that IF law enforcement is contacted, AND law enforcement believes that notification will impede a criminal investigation, then the notification MAY be delayed. It is not clear to me that law enforcement authorities are required to be notified under this statute, whether before or after any notification to customers. And, as noted above, our notification may have been made before technically required by any statute - we acted to give our users the information we felt was necessary, as soon as we could.

From: someone

3) Is a criminal investigation ongoing? I understand that you can't comment on an ongoing investigation, but I believe you are within the law to state whether or not an investigation is in progress.

We have contacted law enforcement authorities. Obviously, I cannot control their investigation or comments. I do not believe they are prepared to comment at this time, and I would prefer not to comment in advance of their progress in investigation.

From: someone

4) Does Linden Lab maintain, or is Linden Lab planning to maintain, an SB1386 task force?

5) Was Linden Lab aware of SB1386 before the breach? According to the first article quoted at the start of this post, knowingly "minimizing the effort required to manage SB 1386 compliance" could open Linden Lab to class action lawsuits.

6) Does Linden Lab follow, or is Linden Lab planning to implement, an "information security policy" and notification policy as outlined in Section 2, subdivision

[snip]

We believe that our level of attention to information security is compliant with applicable laws - and of course we will continue to attend to and improve data security based on lessons learned from this incident. More importantly, we do not believe that the bare requirements of law are the only things that matter. We think that our customers' expectations matter, and often pose a higher standard than law. We'll post further details about upcoming plans in the coming days at http://blog.secondlife.com/?tag=security.

I hope I have addressed your questions. In the interest of fairness and open dialogue, I hope you will accept my heartfelt apology for any inconvenience you may have suffered.

specific questions about SB1386 compliance
paulie Femto Into the dark Join date: 13 Sep 2003 Posts: 1,098	09-09-2006 14:01 Background on California SB1386: http://www.strongauth.com/regulations/sb1386/sb1386Newsletter.html http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html From: someone Robin LInden: We referred to the California statutes regarding privacy and private information in deciding the best way to respond. If you have questions about specific provisions in the law, please let us know. Can you address your compliance with SB 1386 Section 2, parts 1798.29 (b) and (c), quoted: --snip-- (b) Any agency that maintains computerized data that includes personal information that the agency does not own shall notify the owner or licensee of the information of any breach of the security of the data IMMEDIATELY (emphasis mine) following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (c) The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation. --snip-- Specifically, my questions are: 1) Is it Linden Lab's position that a two-day wait in notifying users is in compliance with the statute? 2) Was law enforcement contacted BEFORE users were notified, which seems to be required by the statute? 3) Is a criminal investigation ongoing? I understand that you can't comment on an ongoing investigation, but I believe you are within the law to state whether or not an investigation is in progress. 4) Does Linden Lab maintain, or is Linden Lab planning to maintain, an SB1386 task force? 5) Was Linden Lab aware of SB1386 before the breach? According to the first article quoted at the start of this post, knowingly "minimizing the effort required to manage SB 1386 compliance" could open Linden Lab to class action lawsuits. 6) Does Linden Lab follow, or is Linden Lab planning to implement, an "information security policy" and notification policy as outlined in Section 2, subdivision , quoted: --snip-- h) Notwithstanding subdivision (g), an agency that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this part shall be deemed to be in compliance with the notification requirements of this section if it notifies subject persons in accordance with its policies in the event of a breach of security of the system. --snip-- It would appear that an existing information security policy may allow Linden Lab to claim some wiggle room and still maintain compliance with immediate notification requirements. Maybe. If no policy exists, the recent breach could be damaging to Linden Lab. Breach of users' personal data is, apparently, not the kind of thing you want to have happen to you as a company in California. In the interest of fairness and open dialogue, I hope that you can answer these questions here in a public forum, not in private communication with me. _____________________ REUTERS on SL: "Thirty-five thousand people wearing their psyches on the outside and all the attendant unfettered freakishness that brings."
Robin Linden Linden Lifer Join date: 25 Nov 2002 Posts: 1,224	09-10-2006 18:39 I'm checking in with our general counsel to get his thoughts on your questions. Please be patient. _____________________
Ginsu Linden Junior Member Join date: 28 Jul 2005 Posts: 24	09-10-2006 20:06 Paulie, thank you for your detailed question. I am happy to answer your questions in a public forum. I would first like to address your statement that we had a "two-day wait" in notifying users that personal information may have been acquired by an unauthorized person. This is not correct. In our FAQ email, we gave a clear and neutral statement about the sequence, which I will reprint here (with emphasis added): ------- Our forensic investigation began on September 6, 2006. Based on this investigation, the intrusion attempts may have started as early as September 3, 2006. However, we have not found evidence of successful database access occurring before September 5, 2006. On September 6, 2006, unusual activity in our database logs revealed the attack to Linden Lab, and we investigated, found and closed the intrusion on the same day. At that point, there was no evidence that databases containing customer identity information had been compromised. For the following two days, the focus of our investigation was to determine the extent of the database access and the nature of the data downloaded from our system. On September 8, 2006, we concluded that there was a substantial likelihood that customer account information could have been accessed. ------- In other words, we did not believe that customer records might have been acquired from the database until September 8, and in less than 24 hours, we invalidated passwords, made a blog post, contacted the media, posted a security bulletin on our website, and emailed our entire user base. And at this time, we are still not certain that personal information was acquired. We are still trying to determine exactly what kind of information was acquired. I realize that this last statement will open us up to a whole new class of accusation: "Why are you Linden fools raising all this ruckus if you don't even know what really happened yet?" We're willing to live with that accusation. We understand the value our users place in their privacy, and we believe that it is better to take a very conservative approach in informing the world what has happened, even before we ourselves have all of the facts. I hope you don't mind if I inject a personal note now. I understand that in this day and age, many people assume the worst about corporate behavior. I understand that a certain kind of mentality always believes there must be a cover-up, a conspiracy, an instinct for "truthiness" over truth. I suppose that there is little we can do at Linden Lab to dispel this atmosphere of suspicion that hangs over all corporations. Nevertheless, I will state for the record that I believe that our actions and intentions in this matter have been beyond reproach. Among my colleagues at Linden, I did not hear a single voice arguing for any action that was not along the lines of rapid and open communication. I believe we have responded quickly, responsibly and with deep sensitivity for the concerns of our customers. I am proud of the way we have responded to this incident. I wanted to get this out to you as soon as I could. In a subsequent post, I will provide more answers to your detailed questions.
Ginsu Linden Junior Member Join date: 28 Jul 2005 Posts: 24	09-10-2006 23:04 I'll continue here on the specific questions regarding California SB 1386. I'd encourage anyone interested in this topic to read the full text of the bill, not just summaries or this discussion. The bill is available here, and as of July 1, 2003, the bill became effective law in California Civil Code Section 1798. Section references below refer to the law, not the bill. First, I'd note the definition of "personal information" in Section 1798.29 and Section 1798.82: ------ For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. ------ Linden Lab does not collect or store Social Security numbers or driver's license numbers (except, in the case of driver's licenses, to confirm identity or age when necessary, in which case the information is reviewed but not stored electronically). The account number for use of Second Life is the avatar name, and was stored in the compromised database in unencrypted form. The account password and credit card number was stored in that database with an MD-5 hash with salt, as explained in the security bulletin FAQ. These are the details which we believe may implicate the state definition of "personal information." From: someone 1) Is it Linden Lab's position that a two-day wait in notifying users is in compliance with the statute? As noted [post=1281418]above[/post], there was no "two-day wait" in complying with the statute. I would draw your attention to the words after your emphasis when you quoted the statute, "immediately [your emphasis] following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person [my emphasis]." This states two (alternate) conditions for notification. One is that personal information has been acquired by an unauthorized person. We do not yet know that this is the case. The second condition is that personal information is reasonably believed to have been acquired by an unauthorized person. Whether it's reasonable to believe this at this point is a question that can be debated. We think it's a significant enough possibility that we made the notification. And we made the notification within hours, as described above. I think many people (well, lawyers, anyway) might believe that we are not required to make a notification at all, since it might not be reasonable to believe that personal information was acquired by an unauthorized person. Nevertheless, we are deeply sorry that it's even a possibility, and we feel that we needed to get the information out to our users. From: someone 2) Was law enforcement contacted BEFORE users were notified, which seems to be required by the statute? I believe that the sections you are referencing, Sections 1798.29(b) and 1798.82(b), says that IF law enforcement is contacted, AND law enforcement believes that notification will impede a criminal investigation, then the notification MAY be delayed. It is not clear to me that law enforcement authorities are required to be notified under this statute, whether before or after any notification to customers. And, as noted above, our notification may have been made before technically required by any statute - we acted to give our users the information we felt was necessary, as soon as we could. From: someone 3) Is a criminal investigation ongoing? I understand that you can't comment on an ongoing investigation, but I believe you are within the law to state whether or not an investigation is in progress. We have contacted law enforcement authorities. Obviously, I cannot control their investigation or comments. I do not believe they are prepared to comment at this time, and I would prefer not to comment in advance of their progress in investigation. From: someone 4) Does Linden Lab maintain, or is Linden Lab planning to maintain, an SB1386 task force? 5) Was Linden Lab aware of SB1386 before the breach? According to the first article quoted at the start of this post, knowingly "minimizing the effort required to manage SB 1386 compliance" could open Linden Lab to class action lawsuits. 6) Does Linden Lab follow, or is Linden Lab planning to implement, an "information security policy" and notification policy as outlined in Section 2, subdivision [snip] We believe that our level of attention to information security is compliant with applicable laws - and of course we will continue to attend to and improve data security based on lessons learned from this incident. More importantly, we do not believe that the bare requirements of law are the only things that matter. We think that our customers' expectations matter, and often pose a higher standard than law. We'll post further details about upcoming plans in the coming days at http://blog.secondlife.com/?tag=security. I hope I have addressed your questions. In the interest of fairness and open dialogue, I hope you will accept my heartfelt apology for any inconvenience you may have suffered.

Welcome to the Second Life Forums Archive

specific questions about SB1386 compliance