Senate Bill 1386, which came into force in 2003, was designed to protect California consumers by ensuring that if any company holding personal details suffered a security breach, it had an obligation to inform consumers affected.
The effect of the legislation went way beyond the borders of California, however, with companies right across the U.S. finding themselves forced to reveal their mistakes. From the start of this year, the cases started going public. Retailers, financial companies, manufacturers and media organizations all fell prey to the long arm of the law, and were obliged to admit their mishaps in public.
But no one suggested that security had suddenly worsened in the U.S. in 2005. Breaches such as these had been happening as long as companies ran computer systems. The difference is that while they might have been able to conceal their sins before, they now had to fess up and face damage to their reputation.
The success of SB1386 has been infectious, and more than a dozen states have now passed similar legislation to force disclosure of personal data loss. Many expect a federal law will follow shortly.
Until then, SB1386 may also prove effective in forcing companies to take security as seriously as some of the corporate governance legislation. The management consultancy Ernst & Young recently carried out a worldwide survey of the state of security in large corporations and found that while companies were spending vast amounts to comply with Sarbanes-Oxley and similar European legislation, their security was not really improving. In nearly 40 percent of companies, budgets were being spent on compliance at the expense of keeping up with protection against viruses and worms.
"This year's research shows that not only is regulation the new primary driver for information security investment, the pressure to comply with the huge burden created by industry regulation, such as Sarbanes-Oxley and the 8th Directive [in the European Union], has placed information security firmly in the boardroom," says Jan Babiak, head of information security advisory services at Ernst & Young.
But it was disappointing, she said, that many executives were "missing the opportunity to use compliance as a catalyst to leverage this investment and, more importantly, embed information security as an integral part of strategic initiatives."In other words, for many companies, compliance was a question of being able to check the right boxes rather than achieve real security in the process.
SB1386, on the other hand, allows for no such distinction. if you lose personal data, your reputation will suffer. And that prospect may in the long term do more to really help tighten security.