On July 1, 2003, Senate bill 1386 becomes Civil Code 1798.82. In a nutshell, the law states that any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. It is important to note that the actual breach does not need to occur in the state of California for the law to apply. As long as a company is doing business in the state, “doing business” defined as: having a registered agent in the state of California, having a physical office, contracting to do business with vendors in the state (parts manufacturers, suppliers), or having retail outlets in the state, they are liable to notify their California customers. However, if you are strictly a mail order business, with no ties to California except your online customers, this law may not apply to you at all.
Most corporations are going to take the path of least exposure, i.e., letters mailed to affected customers. Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer. Even more compelling, this law applies worldwide, to any company doing business in the state, regardless of what they sell and whether or not they know that such a law exists.
As Marc Zwillinger, chair of the Information Security and Anti-Piracy practice group at Sonnenschein Nath & Rosenthal in Washington D.C. states, “Most corporations do not routinely segregate data related to California residents from other customer or employee data, this [law] may have a significant effect on how companies across the U.S. handle IT issues.”
Important to Understand
The events that trigger this law are best summed up in an excerpt that reads: ‘…acquisition of computerized data in non-encrypted form by an unauthorized person-Â¦’ Since the law does not specify information that was acquired due to unauthorized conduct, the law doesn’t necessarily require a company to disclose every act of employee misconduct.
“Data” in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver’s license number, account number, debit or credit card information. The caveat being that the data acquired has to be non-encrypted. Should a security breach occur to a database housing encrypted customer data, the law does not apply.
From a Technical Perspective
It isn’t possible to prepare for every security breach, but comprehensive response plans must be in place. Nationwide, the Federal Trade Commission (FTC) is aggressively cracking down on corporations; enforcing the edict that requires IT to maintain sufficient security and response programs to protect their customer data.
“Preventative measures are important, but do not constitute compliance.” affirms John Patzakis, President and CEO of Guidance Software, “Administrators will need to have a forensic plan in place to detect these incidents, especially internal incidents and fraudulent acquisition of customer data. Computer forensics determine what and when specific data was compromised.”
Suggestions for Getting Ready
What can you do? Since the law is in its infancy, there are no existing industry best practices. There are however, recommendations on what can be done. IDN supports the following:
- Identify key systems containing personal information and activate/enhance logging capabilities on such systems
- Consider encrypting all stored customer data. Determine whether the cost to the company is worth the time and effort of IT to employ total database encryption practices. If needed during a lawsuit, IT will have to prove the data was encrypted at the time of the security breach.
- Deploy new technology designed to provide forensic detail about network conduct (see: guidancesoftware.com) and data-flow pattern anomalies (see: www.lancope.com) Timely and accurate answers to data acquisition will be critical.
- If you don’t already have one in place, create a comprehensive Incident Response Plan that details how IT will handle security breaches and other catastrophic incidents on the corporate network. Make sure that this plan includes a detailed notification procedure on how the company will address affected customers should IT detect a security breach. The law provides for more flexibility if an existing IT policy is in place for responding to incidents and notifying customers.
- Include a provision in your IT response plan that addresses a period of investigation, and response to the security incident prior to notifying the customers. This will allow reasonable time to address the security breach and restore the integrity of the system before any mandatory notification begins.
- Review all existing third-party contracts involving the transfer of sensitive personal data to ensure that they contain provisions for notification, investigation, and the right to participate in or control reporting of incidents involving customer data. This is especially important if IT has outsourced data storage and has no visibility into the storage network’s compliance policies.
By proactively addressing threats to the infrastructure and employing a detailed incident response plan, IT Departments worldwide can provide added levels of assurance and compliance when July 1 comes around.
Disclaimer: This article is not intended to take the place of informed legal advice and/or counsel. The facts and suggestions contained herein are for informational purposes only and should be expanded upon by trusted legal sources. Should your company need specific advice and/or assistance in preparing a security response plan that is compliant with current laws and regulations, or have further questions regarding SB1386 it is recommended that you seek professional counsel.