SB 1386, the California Information Practice Act, reaches far beyond the California borders, and it’s very likely that your company, regardless of where it is located, is obligated to comply.
This piece of legislation requires any company that maintains an electronic record of a resident of California to give notice whenever an attack has occurred that has caused that record to become vulnerable. The legislation applies not only to companies that own or license computerized records that contain personal data about California residents, but all of those companies’ contractors and outsourcers as well. Specifically, the law states that a contractor using data owned by another party, must notify the owner of that data if a breach does occur.
The law was designed to help combat the rapidly growing problem of identity theft. It was passed after a hacker exposed payroll information on over 200,000 employees of the State of California. In that case, the employees weren’t given any notice that their personal data had been jeopardized until several weeks after the attack occurred. The new law protects personal information such as social security numbers, drivers license numbers, state ID numbers, account numbers, or passwords that permit access to an individual’s account. Information on individuals that is publicly available does not fall under the purview of SB 1386.
California is, of course, a large and populous state, and virtually any company of any size will have some customers there, regardless of their physical location. As a result of this far-reaching requirement, what is in reality a law enacted by the California legislature has become de facto federal law.
Fortunately, companies that have already implemented best practices in security probably won’t have to do anything extra in terms of deploying additional security measures. SB 1386 is just one of several pieces of legislation that has been passed at both state and federal levels that safeguard personal and financial data that is held in electronic form by companies. HIPAA, for example, protects the privacy of patient data in a healthcare environment–ensuring that your personal medical records are kept absolutely private. Deploying appropriate firewalls, intrusion prevention/detection, strong authentication, web filtering, logging and reporting, and other appropriate technologies are all part of complying with these recent laws.
As part of complying with SB 1386 however, a company must not only make sure they have appropriate policies and technology in place, they must also make sure that any company that does business with them, and has access to customer data, does the same. In addition to precautionary measures, of course, the law calls on companies to provide notice if a breach occurs. This notice can take the form of a written or electronic notice, notification to the media, or posting conspicuously on the company’s web site. Technically, the law only requires notification to be given to California residents, but in reality, most companies that have a SB 1386 concern will find it easier and more effective from a public relations standpoint to make a blanket notification. Compliance isn’t difficult and unlike some other pieces of legislation, won’t require massive, expensive technology deployments; however, failure to comply may yield civil liabilities, and even potential class actions.