New Calif. ID-theft bill would toughen earlier law
If adopted, it would cover all data kept on California residents by companies
Computerworld - Companies concerned about potential liability issues raised by California's identity-theft law may have a whole lot more to worry about if a recently proposed piece of similar legislation is passed.
The proposed ID-theft law, which has managed to remain below the radar of many companies for some time now, is called Senate Bill 1279 and was introduced by California Sen. Debra Bowen on Feb. 13.
The proposed bill seeks to toughen and broaden the scope of legislation already in place.
Under that law, put into place last year, any company that maintains computerized databases containing certain personal information about California residents is obligated to inform those individuals of any security breach in which unencrypted personal data may have been compromised.
SB 1279 seeks to widen the definition of breachable data to include all data, rather than only computerized data. Under SB 1279, any personal data maintained on voice systems or on paper would be covered by the same provisions that currently apply only to computerized data.
The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual.
"As you might guess, this bill would significantly impact organizations already concerned about SB 1386," said a security analyst at a large financial services organization with operations in California who asked not to be named.
"It would have some real serious operational implications for affected companies," the user said. For one thing, the potential costs of paying for credit-monitoring services for individuals whose personal information may have been compromised is huge. Broadening the definition of breachable data also makes the task of protecting it "monumentally" difficult, he said.
"So naturally, from a practioner's perspective, none of us are thrilled about it," he said.
Extending the scope of the identity theft law to include non-computerized data as well as non-electronic data couldpose huge challenges, said Christopher Pierson, an attorney with Lewis and Roca LLP, in Phoenix.
"It greatly increases the number of documents that needs to be protected and the risk of [legal] exposure," Pierson said.
California's existing law also provides a safe harbor for companies that encrypt personally identifiable information. That escape clause will not be available under the new bill since companies will not be able to encrypt hard copy documents, he said.
As a result, there would be signifcant pressure on companies to pay attention not only to IT security but to physical security, too, he said.
According to the user who did not wish to be named, there already is a quiet lobbying effort under way tostop the bill from being passed.
But because of rising concerns over identity theft the proposed measure will ikely pass muster, Pierson said.
The law adds to a growing number of privacy and identity-theft related regulations being considered or enacted in California.
On July 1, a new privacy law goes into affect that will require commercial Web sites to post privacy notices. Another law, set to go into effect next January, requires companies to provide individuals with a list of all the information that has been collected about them and is being shared with third parties.
Companies unwilling to do so are required to give consumers a clear way of opting out of information sharing.
Read more about Gov't Legislation/Regulation in Computerworld's Gov't Legislation/Regulation Topic Center.
Changing the Way Government Works: Four Technology Trends that Drive Down Costs and Increase Productivity
This paper discusses four technology-based approaches to improving processes and increasing
productivity while driving down department and agency costs.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Gov't Legislation/Regulation White Papers | Webcasts