California Senate Bill 1386, effective July 1, requires companies to notify California consumers of computer security incidents where their personal data is compromised, specifically, their names in combination with Social Security, driver’s license, or credit card numbers.
The law is enforceable whenever California consumers are affected, regardless of where the system provider is located. (The law exempts companies that encrypt consumer data, which is a windfall for providers of encryption technology.)
Companies that maintain consumer data have been generally well aware of SB 1386. However, according to Computerworld, the law is ambiguous in several details. For example, the law is not clear about when disclosure is required, saying only that it is needed when “it is reasonably believed” that personal data has been accessed without authorization.
The problem is that even when a system is cracked, it is not at all clear what data may have been compromised. Furthermore, although encryption gives companies a safe harbor, the law does not specify what level of encryption is sufficient or whether stored data as well as data in transit needs to be encrypted.
The impact of SB 1386 is being felt in industries where consumer data is maintained, such as financial services, health care, retail, and information services firms such as credit bureaus. Until the ambiguities of the law are clarified through case law, companies in these industries are wise to implement a variety of measures to protect personal data, including multi-level network security, encryption, and use of identifiers to substitute for personal information. In other cases, when personal data is not absolutely required, companies may want to simply not store such information.
November 2003
Avasant’s research and other publications are based on information from the best available sources and Avasant’s independent assessment and analysis at the time of publication. Avasant takes no responsibility and assumes no liability for any error/omission or the accuracy of information contained in its research publications. Avasant does not endorse any provider, product or service described in its RadarView™ publications or any other research publications that it makes available to its users, and does not advise users to select only those providers recognized in these publications. Avasant disclaims all warranties, expressed or implied, including any warranties of merchantability or fitness for a particular purpose. None of the graphics, descriptions, research, excerpts, samples or any other content provided in the report(s) or any of its research publications may be reprinted, reproduced, redistributed or used for any external commercial purpose without prior permission from Avasant, LLC. All rights are reserved by Avasant, LLC.
Login to get free content each month and build your personal library at Avasant.com
