Breach, Compliance Management, Data Security, Incident Response, Network Security, TDR

California merges key departments to combat ID theft

California has merged two departments dealing with information security and privacy into a single agency that will focus specifically on combating electronic identity theft.

Gov. Arnold Schwarzenegger, a Republican, this week merged two departments into a single Office of Information Security and Privacy Protection (OISPP). Schwarzenegger's office said the agency gives California unprecedented tools to guide law enforcement, businesses, advocacy groups and consumers in the battle against ID theft.

The new agency combined the former Office of Privacy Protection (OPP), a part of the Department of Consumer Affairs formed in 2001, with the state Information Security Office (ISO), formerly part of the Department of Finance. OPP was formed to identify consumer privacy issues while the ISO was responsible for overseeing information security, risk management and operational recovery planning within state government.

Schwarzenegger, who signed SB 90 in August of last year authorizing the merger of the two agencies, has sponsored two special conferences on identity theft.

“[The formation is] recognition that identity theft is not only a growing problem, but one that will be with us for a number of years," Howard Schmidt, (ISC)2 security strategist and former White House cyber security adviser, told, adding that the OISPP will help local law enforcement agencies battle fraud and "be proactive in preventing [ID theft].”

Schwarzenegger drew the ire of privacy advocates last October when he vetoed the Consumer Data Protection Act, AB 779, which would have made merchants responsible for reissuing credit cards and alerting customers following a breach, taking the onus from financial institutions.

However, the creation of the combined office will place more attention on the actions of corporations, said Mari Frank, a member of the OPP advisory board and an ID theft expert.

"I'm optimistic that this new office will bring more emphasis on companies doing the right thing," she told

California has traditionally played a lead role among the states on data privacy issues. The groundbreaking SB 1386, which went into effect in 2003, requires financial institutions to notify state consumers when they lose personal information and applies to all companies doing business with Golden State residents. In the five years since, many states have imitated the bill.

Beth Givens, director of the Privacy Rights Clearinghouse, a non-profit consumer-protection organization, also has high hopes for the combined agency.

"The office has tremendous potential provided that it really focuses on privacy policy and protection as much as information security," she told "The name of the office [as it] was originally proposed did not have the word 'privacy' in it -- only 'information security.'"

Frank, a victim of identity theft herself, also has suggestions for the agency.

"I'd like to see the office set up an ombudsman office within the combined office to have a mediation component," she said. This "would help with privacy and security disputes so that dispute resolution could be addressed quickly and effectively without costly lawsuits."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.