Costly legal battles and knee-jerk decisions on security are threatening to disrupt companies that do business with California residents.

Tomorrow, a state privacy law with nationwide reach takes effect. Security and legal experts predict that the law will burden companies with massive class-action lawsuits and could change the way corporations approach wireless technology and database security.

The new law, SB 1386, requires companies to inform customers when their names—in combination with either their Social Security numbers, driver's license numbers or credit/debit card numbers with personal identification numbers—have been accessed by an unauthorized person .

But confusion about what some observers characterize as a poorly written piece of legislation has given way to panic during the past two weeks, officials in the IT security and legal sectors said.

"Companies are literally shocked by this law, and many big companies are terrified," said Bob Walters, CEO of Teros Inc. in Santa Clara, Calif.

"Under a broad reading of 1386, even virus incidents that corrupt large amounts of data must be reported, even if there is no compromise of personal information," said Michael R. Overly, a partner at the Los Angeles office of law firm Foley & Lardner. "Very large class-action lawsuits are on the horizon."

No Mention of Standards

Under the law, the theft of data that's encrypted doesn't have to be reported. But because the law makes no mention of industry security standards, particularly the appropriate level of encryption needed to protect customer data, some companies may feel forced into taking drastic, costly actions, said Overly.

"What some companies are thinking of doing is assigning a random number to a customer name in one database and linking that random number to the personally identifiable information stored in a completely separate database," he said. "This would require major changes to large company databases."

Eric Beasley, senior network administrator at Baker Hill Corp., an application service provider to the financial industry, said that although the burden would be on financial institutions to notify customers of breaches, the new law has forced his company to purchase a Web application firewall from Teros and study database encryption options.

But performance issues are a concern with encryption, he said. Consequently, Carmel, Ind.-based Baker Hill is studying a possible move from the 32- to the 64-bit version of Microsoft SQL Server, which promises considerably higher performance. "That holds the promise of being able to do encryption without significantly reducing the performance we have today," Beasley said.

Network performance is far from the only issue facing companies. Don Ulsch, managing director and CEO of Janus Risk Management Inc. in Marlboro, Mass., said SB 1386 cuts across virtually every corporate function, including IT security, physical security, classification management, process linkage, human resources operations and environmental monitoring.

According to Ulsch, the new law will put an even higher premium on internal monitoring, access control and personnel risk management because it "will make it easier to conduct internal sabotage operations by purposefully breaching security in order to financially and legally jeopardize the company."

Customer-tracking tools and network monitoring software capable of differentiating between genuine performance problems and security incidents that affect performance will also be critical in helping companies determine when they must make a public report, said Rajeev Khanolkar, CEO of netForensics Inc. in Edison, N.J. "If you don't know what has been compromised, you may be forced to disclose a potential compromise of your entire database," he said.

The new law may also change the way companies view and deploy wireless networks, said Ulsch. "With so much at risk, companies will have to look very seriously at wireless and the security implications," he said.

But Overly said there may be a bigger problem on the not-too-distant horizon. "Look what has happened with spam," he said. "We now have dozens of different spam laws. If individual states start doing what California is doing, companies could be faced with every state having different security requirements."