In the wake of the state of California releasing its first data breach report, a new bill, SB-46, would expand...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
the state's data breach laws to require notification if online account data is compromised. Assuming it becomes law, what's the best way to lay the groundwork for compliance efforts?
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Under California law, organizations that suffer a security breach are required to notify California residents when the security of their personal information may be affected. Until recently, the definition of personal information was limited to a full name (or first initial and last name) in conjunction with a sensitive data element, such as a Social Security number, driver's license number, medical records or financial account information.
SB-46, which recently became law after working its way through the California legislative process, expands these requirements to cover information that permits access to an online account. The specific language extends the law to include "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account." SB-46 greatly increases the number of organizations required to comply with the California data breach notification law, as it affects virtually every website that provides user accounts.
Organizations should first identify activities that involve the handling of user account information. Using strong cryptography to protect this information, where practical, may provide both a good degree of security and protection from SB-46, as it likely applies only to the compromise of unencrypted information. At the same time, this may serve as an opportunity to review existing breach notification practices to ensure that they comply with the law in the jurisdiction(s) where an organization operates.
Dig Deeper on Data Privacy and Protection
Related Q&A from Mike Chapple
Cloud compliance issues are no reason for enterprises not to move to the cloud. Expert Mike Chapple explains why, as well as what to keep in mind ...continue reading
The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this ...continue reading
Enterprise compliance can be a burden to manage, which is where a PCI ISA can be helpful. Expert Mike Chapple explains how a PCI Internal Security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.