In the wake of the state of California releasing its first data breach report, a new bill, SB-46, would expand...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
the state's data breach laws to require notification if online account data is compromised. Assuming it becomes law, what's the best way to lay the groundwork for compliance efforts?
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Under California law, organizations that suffer a security breach are required to notify California residents when the security of their personal information may be affected. Until recently, the definition of personal information was limited to a full name (or first initial and last name) in conjunction with a sensitive data element, such as a Social Security number, driver's license number, medical records or financial account information.
SB-46, which recently became law after working its way through the California legislative process, expands these requirements to cover information that permits access to an online account. The specific language extends the law to include "a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account." SB-46 greatly increases the number of organizations required to comply with the California data breach notification law, as it affects virtually every website that provides user accounts.
Organizations should first identify activities that involve the handling of user account information. Using strong cryptography to protect this information, where practical, may provide both a good degree of security and protection from SB-46, as it likely applies only to the compromise of unencrypted information. At the same time, this may serve as an opportunity to review existing breach notification practices to ensure that they comply with the law in the jurisdiction(s) where an organization operates.
Dig Deeper on Data Privacy and Protection
Related Q&A from Mike Chapple
The rights of medical identity theft victims have been confused by health providers, but the rules under HIPAA are actually quite clear. Expert Mike ...continue reading
The New York State Department of Financial Services announced plans to increase cybersecurity regulations for financial firms. Here's what they need ...continue reading
Smaller organizations have a tougher time handling the compliance burden, specifically from the PCI DSS requirements. Expert Mike Chapple has some ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.