Only in California would a law make crime victims publicly announce that they have been attacked.
In many ways the California Information Practice Act or Senate Bill 1386 does just that. The law, which went into effect in July of this year, requires companies that own or have access to personal information of California residents to notify them if their data have (or may have) been accessed illegally.
The law uses fear and shame to make companies think more seriously about information security. No company wants to tell customers that its systems were hacked and sensitive data was accessed.
Since this is the first law of its kind, there are bound to be questions. Here's a list of Frequently Asked Questions about the new SB-1386:
Whom does the law affect?
If you have even one customer or one employee in California, this law affects you. If you are an outsourcing (offshore or not) company that's doing work for a company with customers or employees in California, this law affects you. If you store data for companies with information on California residents, this law affects you. If you are a small business or a large company, this law affects you.
Define "personal information"?
According to California, personal information includes "an individual's first name or first initial and last name in combination with one or more of the following": a social security number, drivers license number or California Identification Card number, account number, and/or credit or debit card information including numbers and passwords, PINs and access codes.
What happens if I don't comply?
If no one finds out, nothing happens. However, this is a civil law, and one that will probably be played out in the media. So if the public embarrassment and public relations nightmare aren't reason enough to comply, there are also the lawsuits that will come from the individual(s) whose information was accessed.
What should I do to ensure that I'm in compliance?
According to the law offices of Miller & Holguin in Los Angeles, there are a few steps you can take.
- Appoint a security officer to ensure SB-1386 compliance. Among other things, this person should initiate communication and training within the company to develop awareness of the security measures and adherence to policies and procedures.
- Identify the location of all databases that contain personal information and implement access controls and physical security measures for data security. This also includes limiting access to systems and information by personnel and outside parties.
- Develop and implement measures for detecting and reporting incidents of unauthorized access to personal information. Make sure you retain relevant records and test, maintain and audit the effectiveness of access controls and security measures.
- Develop and implement procedures for rapid assessment of suspected security breaches, referral of suspected criminal acts to law enforcement agencies, notification of affected California residents and for appropriate public announcements to stakeholders and other interested parties to minimize the negative impact of the security breach.
- Review arrangements with all third parties who store, process or transmit personal information. Take steps to require them to adopt equivalent measures.
Where can I find guidelines and resources on SB-1386?
There are numerous sites offering information on the bill. Here's a small sampling:
- Strong Auth Inc. offers in depth coverage, including the history of the bill, the original text of the bill, a nine page FAQ section and links to news stories.
- The official California State Government site on SB-1386
- Check out various links on compliance issues at SearchSecurity.com
FOR MORE INFORMATION:
Seven steps to Sarbanes-Oxley compliance
Wachovia compliance chief 'joined at hip' with CIO
Compliance fears exaggerated, report says