New California Law on Data Privacy Is Unclear in the Details

November, 2003

California Senate Bill 1386, effective July 1, requires companies to notify California consumers of computer security incidents where their personal data is compromised, specifically, their names in combination with Social Security, driver’s license, or credit card numbers.

The law is enforceable whenever California consumers are affected, regardless of where the system provider is located. (The law exempts companies that encrypt consumer data, which is a windfall for providers of encryption technology.)

Companies that maintain consumer data have been generally well aware of SB 1386. However, according to Computerworld, the law is ambiguous in several details. For example, the law is not clear about when disclosure is required, saying only that it is needed when “it is reasonably believed” that personal data has been accessed without authorization.

The problem is that even when a system is cracked, it is not at all clear what data may have been compromised. Furthermore, although encryption gives companies a safe harbor, the law does not specify what level of encryption is sufficient or whether stored data as well as data in transit needs to be encrypted.

The impact of SB 1386 is being felt in industries where consumer data is maintained, such as financial services, health care, retail, and information services firms such as credit bureaus. Until the ambiguities of the law are clarified through case law, companies in these industries are wise to implement a variety of measures to protect personal data, including multi-level network security, encryption, and use of identifiers to substitute for personal information. In other cases, when personal data is not absolutely required, companies may want to simply not store such information.

November 2003