News
News
6/20/2003
04:38 PM
Connect Directly
RSS
E-Mail
50%
50%

California's New Rules Of Disclosure

State law will force companies nationwide to make security breaches public

A California law that takes effect July 1 will force companies inside and outside the state to do what they historically have been loath to do: disclose embarrassing information-security breaches.

If companies believe that their California customers' personally identifiable financial information may have been accessed by an unauthorized party, they must inform those customers of the breach. Disclosure may be delayed if law-enforcement officials deem the disclosure could jeopardize an investigation.

Of 376 organizations polled for the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, each experiencing a breach in the past year, half say they kept the incidents quiet. Thirty percent of those surveyed reported the breach to law enforcement, while 21% sought legal counsel. A majority of organizations say negative publicity was the reason for not disclosing security breaches to law enforcement.

Now organizations that do business with Californians won't have a choice--and the same may soon be true for companies that don't. A federal law similar to California's is in the works: Sen. Dianne Feinstein, D-Calif., is readying a federal bill based largely on the California law.

Quick Poll
Will your company invest or invest more in encryption as a result of the new California law?
Security experts say most companies, especially those outside the already heavily regulated health-care and financial industries, have done little to prepare for the new law. "Companies underestimate the impact of the law," says Ryan McGee, director of product marketing for Internet security company Network Associates Inc.'s McAfee division. He says his company has received few inquires from customers about how to comply. "It will take lawsuits and serious damages before many businesses become concerned about it," McGee says.

The law, which passed last year, is only now grabbing the attention of companies outside California. "We found out that it applies to us a few weeks ago," says a security specialist at a Northeast consumer-goods manufacturer. "We're looking at how we can better encrypt customer information and possibly segment customer names from their financial information so a hacker would have to breach two databases."

That's a good start. "If data is encrypted at the time of the breach, you should be OK," says Nick Akerman, partner at law firm Dorsey & Whitney LLP. But some warn that encryption alone isn't a security panacea. "The problem with encryption is [that] data isn't always encrypted during its life cycle, and we hear stories all the time of hackers breaking passwords," says Mark Rasch, former head of cybercrime at the Department of Justice and chief security counsel at security provider Solutionary Inc.

Beyond requiring that data be encrypted and that disclosure of a breach be timely, the law provides little guidance as to what technically constitutes a breach that would require disclosure, what level of encryption companies should deploy, and how soon after a breach a disclosure would be considered timely under the law. "A lot of these laws have holes you could drive a truck through," says John Pescatore, a VP at IT advisory firm Gartner.

Still, companies that are already on top of their security efforts shouldn't see much change. "Now is the time to review policies on protecting and accessing nonpublic customer data," says Gene Fredriksen, VP of information security at Raymond James & Associates. "It's just good business."

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.