Where Did the Data Go?
States get serious on data-loss notification
January 9, 2006 12:00 PM ETComputerworld -
"Is our data missing?" Does that sound familiar? Just last month, hotel chain Marriott International Inc. disclosed that backup computer tapes containing data on approximately 206,000 customers were missing from a company office in Florida.
Major thefts and misappropriations of computerized personal and financial information are causing legislators nationwide to focus on this issue. Amid rising concern over the problem of identity loss, California and other states have enacted laws to give members of the public prompt notification that their personal information may have been misappropriated. Because the 2002 California law is the model that other states have followed in enacting data security breach notification requirements, several points should be noted with respect to that law.
General scope. The California law applies to any company that does business in the state and that owns or licenses computerized data that includes personal information. "Personal information" is defined as a combination of two categories of information: identifying information (i.e., a person's first name or initial and last name) and any item in a specific list of data elements -- Social Security number, driver's license or California ID card number, or a financial account number in combination with the account password, security code or access code. To constitute personal information, the security breach must involve both identifying information and one of the specified data elements but does not include publicly available information that is lawfully made accessible to the general public from government records.
Encryption. The notification requirements of the California law don't apply if either the personal identifying information or the data elements are in encrypted form.
What constitutes a breach? The term breach of the security of the system is defined as "unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business."
Who must be notified, and how? The California law requires reasonably expedient notification to individuals whose unencrypted personal information "was, or is reasonably believed to have been acquired by an unauthorized person." Notice may be on paper or in electronic form. There is a provision for so-called substitute notice if the cost of notifying individual consumers would exceed $250,000 or if the number of consumers to be notified exceeds 500,000. Substitute notice consists of all of the following efforts: e-mail notice to those consumers for whom the company has an e-mail address, conspicuous posting on the company's Web site and notification to statewide media. If a security breach takes place while the information is in the hands of
IT Management
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

