04:38 PM
Risk Data as a Strategy
Apr 06, 2016
There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins ...Read More>>

California's New Rules Of Disclosure

State law will force companies nationwide to make security breaches public

A California law that takes effect July 1 will force companies inside and outside the state to do what they historically have been loath to do: disclose embarrassing information-security breaches.

If companies believe that their California customers' personally identifiable financial information may have been accessed by an unauthorized party, they must inform those customers of the breach. Disclosure may be delayed if law-enforcement officials deem the disclosure could jeopardize an investigation.

Of 376 organizations polled for the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, each experiencing a breach in the past year, half say they kept the incidents quiet. Thirty percent of those surveyed reported the breach to law enforcement, while 21% sought legal counsel. A majority of organizations say negative publicity was the reason for not disclosing security breaches to law enforcement.

Now organizations that do business with Californians won't have a choice--and the same may soon be true for companies that don't. A federal law similar to California's is in the works: Sen. Dianne Feinstein, D-Calif., is readying a federal bill based largely on the California law.

Quick Poll
Will your company invest or invest more in encryption as a result of the new California law?
Security experts say most companies, especially those outside the already heavily regulated health-care and financial industries, have done little to prepare for the new law. "Companies underestimate the impact of the law," says Ryan McGee, director of product marketing for Internet security company Network Associates Inc.'s McAfee division. He says his company has received few inquires from customers about how to comply. "It will take lawsuits and serious damages before many businesses become concerned about it," McGee says.

The law, which passed last year, is only now grabbing the attention of companies outside California. "We found out that it applies to us a few weeks ago," says a security specialist at a Northeast consumer-goods manufacturer. "We're looking at how we can better encrypt customer information and possibly segment customer names from their financial information so a hacker would have to breach two databases."

That's a good start. "If data is encrypted at the time of the breach, you should be OK," says Nick Akerman, partner at law firm Dorsey & Whitney LLP. But some warn that encryption alone isn't a security panacea. "The problem with encryption is [that] data isn't always encrypted during its life cycle, and we hear stories all the time of hackers breaking passwords," says Mark Rasch, former head of cybercrime at the Department of Justice and chief security counsel at security provider Solutionary Inc.

Beyond requiring that data be encrypted and that disclosure of a breach be timely, the law provides little guidance as to what technically constitutes a breach that would require disclosure, what level of encryption companies should deploy, and how soon after a breach a disclosure would be considered timely under the law. "A lot of these laws have holes you could drive a truck through," says John Pescatore, a VP at IT advisory firm Gartner.

Still, companies that are already on top of their security efforts shouldn't see much change. "Now is the time to review policies on protecting and accessing nonpublic customer data," says Gene Fredriksen, VP of information security at Raymond James & Associates. "It's just good business."

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
4 Trends Shaping Digital Transformation in Insurance
Insurers no longer have a choice about digital adoption if they want to remain relevant. A comprehensive enterprise-wide digital strategy is fundamental to doing business today.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.