California's Security Breach Information Act (SB 1386) becomes official Tuesday and mandates for the first time that businesses must inform customers when electronic data is compromised by a hacker.
SB 1386 requires companies that own or maintain the personal information of California residents to notify the people if that data is unlawfully accessed.
Gray areas remain with SB 1386 -- for example, it's unclear whether the state can impose the law upon companies that operate outside the state but own personal data about California residents.
Some industry opposition has been voiced, which softened the law somewhat while it was being written. But "it issues a mandatory disclosure requirement that, to my knowledge, has not existed in another state or federal law," said Steve Pink, deputy chairman of the American Bar Association's Cybersecurity Task Force and an attorney with Gray Cary Ware & Freidenrich. Pink presented a tutorial last week on SB 1386 that was sponsored by vulnerability scanning outsourcer Qualys Inc.
The impetus for the law was the hacking of a database of state employee information. Sensitive information, such as names, Social Security numbers and payroll information about state employees "ranging from office workers to judges," was stolen, Pink said.
The breach occurred April 5, 2002, but it wasn't discovered until May 7. The state didn't notify the public of it until May 24. The delay in notifying the public created
Who must comply with SB 1386?
The law applies to any person or company that conducts business in California and owns or maintains computerized personal data. The law does not define what "conducting business in California" means. As a result, many companies not based in California may be affected by the law.
The data covered by the law is fairly narrow. Essentially, it covers people's last names and first names or initial, when the names exist in combination with Social Security numbers, drivers' license numbers or credit card or debit card numbers with passwords. Only unencrypted data falls under the law.
The law defines a breach as the unauthorized acquisition of data that compromises the security, confidentiality or integrity of personal information of California residents. "If a Nevada resident's information is compromised, then the disclosure requirement is not triggered," Pink said.
Once a breach has been discovered, the affected company has to notify California residents quickly. The law does not mandate a set time, like 24 or 48 hours. Notification can be delayed if the breach is reported to law enforcement and the authorities believe disclosure could affect the investigation. Also, companies can hold off on disclosing the compromise in order to fix the security hole and restore the integrity of their systems, Pink said.
How to notify affected parties of a breach
Companies have some leeway as to how they notify affected people of a breach. Sending out a letter is one way, but that method could be expensive. E-mail notification is considered OK, as long as the messages comply with the federal e-Sign Law.
Public notification is a third route for companies that suffer large breaches, but it's not "appetizing for companies, particularly if they are trying to protect their reputations," Pink said.
This route is open to companies for which notifying affected people would cost more than $250,000, or if more than 500,000 people are affected. Public notification can also be done if a company does not have sufficient contact information for affected parties. A company would have to e-mail the people they do have information for, post a "conspicuous notice" on its Web site and notify major statewide media of the breach.
Companies that don't comply with the law could face civil litigation from affected parties. "There is no end to [the] creativity of attorneys," Pink said.
There are still some questions about SB 1386. For example, it's unclear whether California can impose requirements on companies outside of the state. It could be interpreted that such a law affects interstate commerce, which the Constitution only allows Congress to regulate.
Encrypting personal data would exempt companies from the law, but there are no minimums on the strength of the encryption. "What if a company uses encryption that can be unscrambled by anyone?" Pink said.
There are also some questions about what would happen if a low-level employee sees a breach and forgets to tell management. Could the company be held liable?
Regardless of the questions raised by the law, companies still need to prepare to comply with it. Pink recommends that companies review their systems and policies. Do they have personal information about California residents? Is that data encrypted, or can it be? Is such data accessible from the outside world?
Companies also need to establish procedures for dealing with local law enforcement. Educating employees about the law is also imperative, Pink said.
There has been some talk that Sen. Dianne Feinstein (D-Calif.) may introduce a similar law at the federal level, but such a proposal would likely face a lot of industry opposition. Other states may consider laws similar to California's, but many will likely "wait and see how the California law works in practice," Pink said.
FOR MORE INFORMATION:
FEEDBACK: What is your enterprise's biggest concern regarding SB 1386?
Send your feedback to the SearchSecurity.com news team.