SB1386, and why does my head hurt?

So I'm reading UC Santa Barbara's guidelines for implementing SB1386 (answering the eternal question, "What do SOX compliance people do for fun?"), and I came across this sentence:

For the purpose of this guideline, if a system that houses a data store that contains personal information is accessed by unauthorized means, it can be presumed that the personal information stored there has not been compromised if reasonable technical evaluation and best practices leads to the conclusion that the data store was not compromised.

I just don't know where to begin. Why would you ever fail open? The document further states that, to detemine whether the data has been compromised, look for evidence of copying, or of nefarious intent, or similar factors. The implication is that if I can't find such evidence, then the data must not be compromised. This is such a critical, high visibility issue -- why would you ever err on the side of not isolating the system?