Firms used to like handling security breaches quietly but that is no longer an option
Since it took effect nearly a year ago, California Senate Bill 1386 has altered the way many companies do business, according to legal and privacy experts.
"It has had a dramatic effect nationwide," said Benjamin Wright, a Dallas-based attorney practicing computer security and e-commerce law. "SB 1386 has had a greater impact on information security thinking than any other law. It speaks directly to a problem in information security – a very practical, day-to-day problem – which is that people break into databases."
In the past, most large enterprises had a policy of handling security breaches quietly, he said. But under SB 1386, companies that maintain personal data on California residents must disclose any breach in which an unauthorized person has accessed, or is believed to have accessed, unencrypted personal data. Companies ultimately wind up notifying more than just their California customers, making SB 1386 a national standard.
Privacy expert Larry Ponemon, founder and chairman of research firm the Ponemon Institute, agreed: "SB 1386 has had a profound impact on the way companies manage their commitment to customers, much more than other rules. The reason is a lot of companies don't have an infrastructure to separate out their California customers from the rest, so SB 1386 has become a national standard for most firms."
The law does not require companies to report to the state whether they have sent out notices, so California does not have an official tally. But Joanne McNabb, chief of the state's office of privacy protection, said she is aware of nearly two dozen organizations that have sent notices.
Last month, the University of California at San Diego (UCSD) said it was notifying thousands of students, staffers, applicants, and faculty that intruders broke into four computers at the university's business and financial services department – machines that stored personal data on approximately 380,000 people. Administrators said it appeared an intruder used disk space for DVD storage on one of the computers but there was no evidence that any personal data was accessed.
In November, Wells Fargo notified customers when a laptop containing confidential information about a few of its clients was stolen. Also last fall, Merrill Lynch notified thousands of customers when burglars stole computers that might have held their financial records.
In most cases, it is difficult for companies to know whether an intruder has actually accessed customer data, but, according to McNabb: "The purpose of this law was to give early warning, not necessarily say, 'you're a victim'."
The law has effectively given potential identity theft victims a "heads up" so they can check their credit reports, she said. It has also forced organizations to review their security procedures and, in some cases, tighten them.
"It has squarely affected development efforts within enterprises," agreed Wright. "I've heard people in seminars say, 'We developed x, y, or z, or modified what we were doing directly as a result of 1386'."
The law has also impacted customer demands, according to Diane Fraiman, senior vice-president of marketing and business development at Sanctum, a provider of web application security. The vendor offers a testing tool for audit and quality assurance teams that features automated compliance verification with various regulations, including SB 1386 – a law that "has become a very real pressure point inside their business," she said.
While the law has led some companies to increase security, it also has created a problem of "false positives," according to Ponemon. Even though they do not know for sure if data has been stolen, some businesses decide to send out generic notices to customers, which could cause unnecessary alarm.
"The general view is that it's better to be safe than sorry, but the reality is that people read these [notices] and become really fearful," he said. "There's a lot of fuzziness about what information the consumer needs in order to make an educated choice."
McNabb said the UCSD notice was the best and most helpful she has seen. The notice had information about resources to guard against identity theft and UCSD created a website for people it notified that offered credit check contacts and other resources.
"Organizations are starting to learn about writing better notices that are plain and easy to understand. These are notices that will frighten somebody, so it's not time to be bureaucratic or technical," McNabb said. "The advice I give is have your public affairs people write it, then have legal review it. Don't have the lawyers write it."
Wright advises companies to be prepared to comply with SB 1386 in the event of a break-in by having a written policy that details legal and technical procedures. Also, companies might want to rethink how they store customers' personal data – the law is triggered if an intrusion may have exposed someone's name plus another piece of confidential information such as a social security or account number. An organization might want to decentralize the storage of that data.
Businesses can also use technology to protect data, such as the modules offered by Teros, which secure specific objects such as social security numbers, he added.
A flood of lawsuits based on SB 1386 has yet to arrive – Wright is only aware of one at this time – and the procedure is not swift. A company must fail to give notice of a breach and then people who should have been notified must find out about the breach and determine what action to take.
The trend will not stop here. Tom Bennett, vice-president of marketing at Teros, said California companies are very aware of SB 1386 and those located outside the state are concerned about the potential for a similar law at the national level. In fact, U.S. Senator Dianne Feinstein introduced such a bill last summer.
Meanwhile, California SB 1279, introduced earlier this year, seeks to expand the scope of SB 1386 to include paper records containing personal data.