The FAQs about SB-1386

By Sarah Lourie, SearchCIO.com Assistant Editor 12 Dec 2003 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

Only in California would a law make crime victims publicly announce that they have been attacked.

In many ways the California Information Practice Act or Senate Bill 1386 does just that. The law, which went into effect in July of this year, requires companies that own or have access to personal information of California residents to notify them if their data have (or may have) been accessed illegally.

The law uses fear and shame to make companies think more seriously about information security. No company wants to tell customers that its systems were hacked and sensitive data was accessed.

Since this is the first law of its kind, there are bound to be questions. Here's a list of Frequently Asked Questions about the new SB-1386:

Whom does the law affect?

If you have even one customer or one employee in California, this law affects you. If you are an outsourcing (offshore or not) company that's doing work for a company with customers or employees in California, this law affects you. If you store data for companies with information on California residents, this law affects you. If you are a small business or a large company, this law affects you.

Define "personal information"?

According to California, personal information includes "an individual's first name or first initial and last name in combination with one or more of the following": a social security number, drivers license number or California Identification Card number, account number, and/or credit or debit card information including numbers and passwords, PINs and access codes.

What happens if I don't comply?

If no one finds out, nothing happens. However, this is a civil law, and one that will probably be played out in the media. So if the public embarrassment and public relations nightmare aren't reason enough to comply, there are also the lawsuits that will come from the individual(s) whose information was accessed.

What should I do to ensure that I'm in compliance?

According to the law offices of Miller & Holguin in Los Angeles, there are a few steps you can take.

• Appoint a security officer to ensure SB-1386 compliance. Among other things, this person should initiate communication and training within the company to develop awareness of the security measures and adherence to policies and procedures.
• Identify the location of all databases that contain personal information and implement access controls and physical security measures for data security. This also includes limiting access to systems and information by personnel and outside parties.
• Develop and implement measures for detecting and reporting incidents of unauthorized access to personal information. Make sure you retain relevant records and test, maintain and audit the effectiveness of access controls and security measures.
• Develop and implement procedures for rapid assessment of suspected security breaches, referral of suspected criminal acts to law enforcement agencies, notification of affected California residents and for appropriate public announcements to stakeholders and other interested parties to minimize the negative impact of the security breach.
• Review arrangements with all third parties who store, process or transmit personal information. Take steps to require them to adopt equivalent measures.

Where can I find guidelines and resources on SB-1386?

There are numerous sites offering information on the bill. Here's a small sampling:

• Strong Auth Inc. offers in depth coverage, including the history of the bill, the original text of the bill, a nine page FAQ section and links to news stories.
• The official California State Government site on SB-1386
• Check out various links on compliance issues at SearchSecurity.com

FOR MORE INFORMATION:

Featured Topic: Compliance guide

Seven steps to Sarbanes-Oxley compliance

Wachovia compliance chief 'joined at hip' with CIO

Compliance fears exaggerated, report says

Tags: Information technology laws,  Enterprise risk management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information technology laws Avoiding gotchas of security tools and global data privacy laws Information security and IT governance guides for CIOs E-discovery and litigation guide for CIOs Document retention and disposal strategy Top 10 reasons to give thanks you're in IT PCI compliance deadlines have retailers scrambling Customized e-discovery tool lightens law firm's litigation load Firms bridging the gap between IT and the law Avoid lawsuit nightmares: New rules of engagement for e-discovery Regulatory compliance management guide for CIOs Enterprise risk management Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Business continuity plan needs the right leader, metrics to succeed How CIOs are enabling business activity monitoring with existing tools Best practices for managing IT and the recession Disaster recovery strategy shift reduces data loss, recovery time Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs Balanced Scorecard founder: In recession, think risk management IT governance, corporate governance must align in economic recession

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary GRC (governance, risk management and compliance) software  (SearchCIO.com) sustainability risk management (SRM)  (SearchCIO.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary