One year after its inception, experts continue to disagree about the effectiveness of California's Database Security Breach Notification Act, more commonly called SB 1386. Some experts believe the law's been crucial in getting organizations to closely examine their security measures, but others said it's had a chilling effect on additional security measures companies might be willing to take.
"SB 1386 reinforces what companies were doing right," said former U.S. cybersecurity czar Howard Schmidt. "It puts extra emphasis on companies' desire to do more to secure their data."
Under SB 1386, anyone doing business with California residents must disclose any security breach of unencrypted, personally identifiable information that was, or is reasonably believed to have been, viewed or acquired by an unauthorized person. However, the law is extremely limited in its application and only applies to a person's first and last name when combined with a social security number, a driver's license number, or a password and financial account. Though several organizations, including major public universities, have had to notify consumers or employees, to date, there have been no cases tested in court.
"I believe it's been fabulously effective in forcing businesses to look at their security measures, do audits, update security policies and get better informed about how they're managing data," said Michael Overly, a partner in the law firm of Foley & Lardner. "I've seen more interest by businesses in evaluating and reevaluating their security practices as a result of 1386 in California than I have with most other legislation involving security in the last few years. Public disclosure is driving it."
Joseph Ansanelli, CEO of San Francisco-based Vontu Inc. disagrees. "SB 1386 has created a chilling effect on companies that want to do the right thing in protecting consumer data. The reason for that is because it's vaguely worded and riddled with inconsistencies to the point where companies probably feel it's safer to do nothing until they understand the true impact the law will have," he said.
For example, 1386 uses terminology like "reasonably believed" to require notification of a breach and calls for companies to encrypt data but doesn't provide specifics.
"Once you have the first major lawsuit and people see how the courts respond to an incident they will have a better understanding of what the law means to them," Ansanelli added.
What needs to be considered, Ansanelli said, is that there's a real need for a broad national consumer data security standard to clarify expectations for enterprises. "Having a patchwork of 50 different state laws will only lead to confusion in terms of how companies need to protect consumer data," said Ansanelli.