Companies are unprepared for California data privacy law
Computerworld - Companies doing business in California have a compelling reason to bolster their data security.
A tough new state law that goes into effect July 1 will require companies that maintain data on California residents to inform individuals of any security breaches that result in their personal information being stolen.
Apart from those in the financial services and health care sectors, few companies appear to be aware of the pending rules, according to some legal experts. That could be dangerous, since failure to comply with the statute's requirements could expose companies to potentially costly lawsuits, legal experts warned.
"The law is a sleeper that has not received much national attention," said Christopher Wolf, a partner in the Washington office of Proskauer Rose LLP.
California SB 1386 was signed into law last year and is being used as a model for a similar federal identity-theft-related bill (see story). Both laws aim to force companies to proactively identify security breaches that could result in identity theft -- something that companies have traditionally been unwilling to do.
"[California's] law does more through implication rather than direct language," said Michael Overly, a partner at Foley & Lardner, a Los Angeles law firm.
The law doesn't spell out the administrative or technical actions that companies might need to take to be in compliance. But the implication is that companies need mechanisms for detecting, monitoring and responding to breaches that might compromise personal data.
"One clear safe harbor is to encrypt data on your storage media," Overly said. Companies that do so are exempt from the provisions of SB 1386. Since the law applies only when a customer's name is stolen along with other pieces of identifying information -- such as a Social Security or driver's license number -- it might also make sense to store such elements separately, he said.
The law is ambiguous about what specifically constitutes a breach and about how quickly and in what manner customers must be informed. Even so, it could open up a can of worms for companies, according to some legal experts.
"The PR consequences of only notifying California residents [of a security breach] could be very bad," said Wolf. "So California has come up with a consumer-oriented law that could become the next headache for businesses using computers all across the country."
In addition, there is little to show that the law addresses the identity-theft issue for which it was created, said Tamara Salmon, counsel for the The Investment Company Institute in Washington, which represents about 9,000 investment companies around the country.
"We are not sure what these notices are meant to accomplish," Salmon said. "What is an individual supposed to do with that information?" Instead, it would have been better if the law required companies to inform law enforcement of any breaches involving the theft of personal information, she said.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Gov't Legislation/Regulation White Papers | Webcasts