One year later, California identity theft law remains low-key

The regulation hasn't spurred predicted lawsuits but has increased awareness

Nearly a year after California's landmark SB 1386 identity theft law went into effect, there has been none of the troublesome litigation that had been predicted to come in its wake.

But the law has raised overall corporate awareness of the need to have strong privacy protections in place, legal experts said last week.

SB 1386, which went into effect July 1 last year, requires companies that do business with California residents to inform customers when their names, in combination with personally identifiable information, have been accessed by an unauthorized person (see story). Some legal experts had expected the law to open a floodgate of trouble, especially because of the ambiguous nature of some of its provisions.

For instance, the law calls for companies to encrypt data but doesn't specify what level of encryption is considered legally acceptable. Similarly, the law isn't specific about the obligations of the IT organization, mandating only that companies notify customers when "it is reasonably believed" that personal information has been compromised.

Educational Impact

To date, there have been no publicly disclosed cases in which the provisions of the law have been tested in court.

"It appears that it didn't have quite the impact that was expected," said Arshad Noor, CEO of StrongAuth Inc., an identity and compliance management company in Cupertino, Calif. "There have been no lawsuits and no court cases [so far]."

But it would be a mistake to take that to mean the law has not been effective, said Donald Harris, president of HR Privacy Solutions Ltd., a New York-based identity management consultancy. "Companies are trying to do whatever they can to avoid any kind of litigation or enforcement" under SB 1386, said Harris, who conducts corporate workshops on the issue.

"The very fact that the legal risk posed by the law has caused companies to enact protective and responsive measures" demonstrates its value, echoed Erin Kenneally, a forensic analyst at the University of California, San Diego.

"Many organizations, if they have a good and well-funded staff of security professionals, are adding SB 1386 to whatever other compliance requirements they have in effect," said Stephen Wu, president of InfoSec Law Group PC in Mountain View, Calif.

The IT department at Latham & Watkins LLP, a Los Angeles-based law firm, is one example. "We've conducted SB 1386 awareness training, reviewed our systems and databases that could be subject to the law and have determined how we would respond in the event of a breach," said Eric Goldreich, the firm's manager of technology.

And though no suits have been filed under the law, it has gotten companies to proactively notify customers of security breaches involving personal information, said Christopher Pierson, an attorney at Phoenix-based Lewis and Roca LLP. "There are some companies that are still waiting for case law to be established" to fully implement SB 1386 requirements, Pierson said. "My advice is to err on the side of caution and not be the first test case for 1386."

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon