New Calif. ID-theft bill would toughen earlier law

Computerworld - Companies concerned about potential liability issues raised by California's identity-theft law may have a whole lot more to worry about if a recently proposed piece of similar legislation is passed.
The proposed ID-theft law, which has managed to remain below the radar of many companies for some time now, is called Senate Bill 1279 and was introduced by California Sen. Debra Bowen on Feb. 13.
The proposed bill seeks to toughen and broaden the scope of legislation already in place.
Under that law, put into place last year, any company that maintains computerized databases containing certain personal information about California residents is obligated to inform those individuals of any security breach in which unencrypted personal data may have been compromised.
SB 1279 seeks to widen the definition of breachable data to include all data, rather than only computerized data. Under SB 1279, any personal data maintained on voice systems or on paper would be covered by the same provisions that currently apply only to computerized data.
The bill would also require companies that suffer a security breach involving personal information to provide two years of credit-monitoring services, without charge, to each affected individual.
"As you might guess, this bill would significantly impact organizations already concerned about SB 1386," said a security analyst at a large financial services organization with operations in California who asked not to be named.
"It would have some real serious operational implications for affected companies," the user said. For one thing, the potential costs of paying for credit-monitoring services for individuals whose personal information may have been compromised is huge. Broadening the definition of breachable data also makes the task of protecting it "monumentally" difficult, he said.
"So naturally, from a practioner's perspective, none of us are thrilled about it," he said.
Extending the scope of the identity theft law to include non-computerized data as well as non-electronic data couldpose huge challenges, said Christopher Pierson, an attorney with Lewis and Roca LLP, in Phoenix.
"It greatly increases the number of documents that needs to be protected and the risk of [legal] exposure," Pierson said.
California's existing law also provides a safe harbor for companies that encrypt personally identifiable information. That escape clause will not be available under the new bill since companies will not be able to encrypt hard copy documents, he said.
As a result, there would be signifcant pressure on companies to pay attention not only to IT security but to physical security, too, he said.
According to the user who did not wishto be named, there already is a quiet lobbying effort under way to stop the bill from being passed.
But because of rising concerns over identity theft the proposed measure will ikely pass muster, Pierson said.
The law adds to a growing number of privacy and identity-theft related regulations being considered or enacted in California.
On July 1, a new privacy law goes into affect that will require commercial Web sites to post privacy notices. Another law, set to go into effect next January, requires companies to provide individuals with a list of all the information that has been collected about them and is being shared with third parties.
Companies unwilling to do so are required to give consumers a clear way of opting out of information sharing.

Read more about legislation/regulation in Computerworld's Legislation/Regulation Knowledge Center.