In the wake of the state of California releasing its first data breach report, a new bill, SB-46, would expand...
the state's data breach laws to require notification if online account data is compromised. Assuming it becomes law, what's the best way to lay the groundwork for compliance efforts?
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Under California law, organizations that suffer a security breach are required to notify California residents when the security of their personal information may be affected. Until recently, the definition of personal information was limited to a full name (or first initial and last name) in conjunction with a sensitive data element, such as a Social Security number, driver's license number, medical records or financial account information.
SB-46, which recently became law after working its way through the California legislative process, expands these requirements to cover information that permits access to an online account. The specific language extends the law to include "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account." SB-46 greatly increases the number of organizations required to comply with the California data breach notification law, as it affects virtually every website that provides user accounts.
Organizations should first identify activities that involve the handling of user account information. Using strong cryptography to protect this information, where practical, may provide both a good degree of security and protection from SB-46, as it likely applies only to the compromise of unencrypted information. At the same time, this may serve as an opportunity to review existing breach notification practices to ensure that they comply with the law in the jurisdiction(s) where an organization operates.
Dig Deeper on Data Privacy and Protection
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.