In the wake of the state of California releasing its first data breach report, a new bill, SB-46, would expand...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
the state's data breach laws to require notification if online account data is compromised. Assuming it becomes law, what's the best way to lay the groundwork for compliance efforts?
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Under California law, organizations that suffer a security breach are required to notify California residents when the security of their personal information may be affected. Until recently, the definition of personal information was limited to a full name (or first initial and last name) in conjunction with a sensitive data element, such as a Social Security number, driver's license number, medical records or financial account information.
SB-46, which recently became law after working its way through the California legislative process, expands these requirements to cover information that permits access to an online account. The specific language extends the law to include "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account." SB-46 greatly increases the number of organizations required to comply with the California data breach notification law, as it affects virtually every website that provides user accounts.
Organizations should first identify activities that involve the handling of user account information. Using strong cryptography to protect this information, where practical, may provide both a good degree of security and protection from SB-46, as it likely applies only to the compromise of unencrypted information. At the same time, this may serve as an opportunity to review existing breach notification practices to ensure that they comply with the law in the jurisdiction(s) where an organization operates.
Dig Deeper on Data Privacy and Protection
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.