California is always on top of the game when it comes to technology and social innovation. While the newest development from the Golden State might be on the right track, it’s not necessarily the winning bet.
On July 1, first-of-its-kind data security legislation went into effect in California. The Security Breach Information Act (S.B. 1368) mandates that any company with reason to believe that unencrypted customer data has been compromised must notify its in-state clients and customers. Customers injured by violations of the statute are authorized to bring private lawsuits for damages. The legislation applies to California state agencies, as well as any person or business that conducts business in California or with California residents.
Qualifying customer data, or personal information as it’s referred to in the statute, is as follows: first name or initial with last name, and either drivers license number or bank account or credit card
number and security code.
Companies must provide customers whose data may have been compromised with written or electronic notification. If more than 500,000 customers need to be notified, then the company must
e-mail all customers, post a notice on its Web site and provide
notification to major statewide media.
John Pescatore, research director for Internet security with Gartner, says the law is a step in the right direction. So far in 2003 over 8 million credit card numbers have been stolen, and that’s just the reported numbers. “But there are plenty of loopholes,” he asserts. “Only specific data types are covered, like the association of a name and a credit card number; if just a list of names and addresses got out, for instance, a company wouldn’t have to disclose.” The new law only covers data that have been unencrypted, but does not specify levels of encryption. “So my company might just change Js to Ks and 1s to 2s and say it’s encrypted.”
But the law covers more than just electronic data. “If some company dumps billing records or order sheets with my name and credit card number, and somebody goes dumpster diving, that’s a qualifying incident,” Pescatore notes. Of course it’s not that easy to track incidents of dumpster diving. And, as he reiterates: “It’s not easy to track electronic ones either.”
So is this law just the news that data security companies are looking for to boost sales? Yes and no. “Many security vendors are saying ‘Look at this law; now you’ll have to buy all this new security stuff.’ But we just don’t think that’s true,” Pescatore says.
Data encryption was beginning to gain critical importance even before this law, according to Pescatore, and it might be easier for your company to manage than you’d expect. Many off-the-shelf database systems, like Oracle’s, have encryption systems built in; they simply have to be activated. Some operating systems, like Windows, have encryption capabilities, as well. Last but not least, building or buying an encryption system is an option.
Principally the law does two good things, according to Pescatore. “It forces companies to make sure they have a notification process in place, which many companies never thought about. And the more companies fear having to disclose a break-in, the more likely they are to try and protect information.” Even though the legislation sets a legal precedent, “this law is basically saying if you’re doing what’s right you’re okay. But the bottom line is it does force businesses to look a little more carefully at where they might be storing customer information.”