Shostack + Friends Blog Archive


Thoughts on SB 1386

Looking for a link to SB 1386, I noticed that of the first 10 Google hits, 2 are legislative, 2 are law firms, 3 are information security portals, and 3 are for security companies. Three of the security companies, (Verisign, Threatfocus and Watchfire) are simply adding “SB 1386” to existing products, and claiming to provide compliance. Now, sure, anything you do to secure yourself to some extent helps.

In contrast, Ingrian seems to make database encryption tools, which might actually help with 1386 compliance. (I haven’t looked at their products in depth, but they seem to be doing database encryption.)

However, there doesn’t seem to be anything in the first 50 or so links on data minimization—designing business processes to collect and store less data, so that you’re less at risk, your customers are more protected, because you can’t lose control of something you don’t have.