Bibliofind was one of the first Web sites to specialize in hard-to-find and collectible books. The site featured a powerful search engine for used and rare books. The search engine's database was populated with the results of Bibliofind's daily surveys of a worldwide network of suppliers. Registered site visitors could specify the title for which they were searching, a price range, and whether they were seeking a first edition. The site also allowed visitors to build a wish list that would trigger an e-mail when a specific book on the list became available.
Bibliofind had developed a large customer list, an excellent reputation, and a solid network of rare book dealers, all of which made the company an attractive acquisition for other online bookstores. In 1999, Amazon.com bought Bibliofind, but Bibliofind continued to operate its own Web site and conduct its business as it had before the acquisition.
Several years after the Amazon.com acquisition, Bibliofind's Web site was hacked. The cracker had gained access to the company's Web server and replaced the company's Web pages with defaced versions. Bibliofind shut down its Web site for several days and undertook a complete review of its Web site's security. When the company's IT staff examined the server logs carefully, they found that the Web page hacking was only the tip of the iceberg. Entries in the logs showed that attackers had been accessing Bibliofind's computers for more than four months. Even worse, some of the crackers had been able to go through the Web servers to gain access to the computers that held Bibliofind customer information, including names, addresses, and credit card numbers. That information had been stored in plain text files on Bibliofind's transaction servers.
Bibliofind called in state and federal law enforcement officials to investigate the hacking incidents and sent an e-mail notification to the 98,000 customers whose private information might have been obtained by the crackers. The investigation did not result in any arrests, nor did it determine the identity of the intruders. Many of Bibliofind's customers were very upset when they learned what had happened.
A month after the hacking incident, Amazon.com moved Bibliofind into its zShops online mall (zShops was the original name of Amazon Marketplace). As an Amazon zShop, Bibliofind could process its transactions through Amazon's system and no longer needed to maintain private information about its customers on its computers; however, the company had seen its reputation seriously damaged and eventually was closed down. A successful business was ended in large part because had it failed to maintain adequate security over the customer information it had gathered.
Required:
1. In about 300 words, explain how Bibliofind might have used firewalls to prevent the intruders from gaining access to its transaction servers. Be specific about where the firewalls should have been placed in the network and what kinds of rules they should have used to filter network traffic at each point.
2. California has a law that requires companies to inform customers whose private information might have been exposed during a security breach like the one that Bibliofind experienced. Before California enacted this law, businesses argued that the law would encourage nuisance lawsuits. In about 300 words, present arguments for and against this type of legislation.