California's New Rules Of Disclosure - InformationWeek
04:38 PM

California's New Rules Of Disclosure

State law will force companies nationwide to make security breaches public

A California law that takes effect July 1 will force companies inside and outside the state to do what they historically have been loath to do: disclose embarrassing information-security breaches.

If companies believe that their California customers' personally identifiable financial information may have been accessed by an unauthorized party, they must inform those customers of the breach. Disclosure may be delayed if law-enforcement officials deem the disclosure could jeopardize an investigation.

Of 376 organizations polled for the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, each experiencing a breach in the past year, half say they kept the incidents quiet. Thirty percent of those surveyed reported the breach to law enforcement, while 21% sought legal counsel. A majority of organizations say negative publicity was the reason for not disclosing security breaches to law enforcement.

Now organizations that do business with Californians won't have a choice--and the same may soon be true for companies that don't. A federal law similar to California's is in the works: Sen. Dianne Feinstein, D-Calif., is readying a federal bill based largely on the California law.

Quick Poll
Will your company invest or invest more in encryption as a result of the new California law?
Security experts say most companies, especially those outside the already heavily regulated health-care and financial industries, have done little to prepare for the new law. "Companies underestimate the impact of the law," says Ryan McGee, director of product marketing for Internet security company Network Associates Inc.'s McAfee division. He says his company has received few inquires from customers about how to comply. "It will take lawsuits and serious damages before many businesses become concerned about it," McGee says.

The law, which passed last year, is only now grabbing the attention of companies outside California. "We found out that it applies to us a few weeks ago," says a security specialist at a Northeast consumer-goods manufacturer. "We're looking at how we can better encrypt customer information and possibly segment customer names from their financial information so a hacker would have to breach two databases."

That's a good start. "If data is encrypted at the time of the breach, you should be OK," says Nick Akerman, partner at law firm Dorsey & Whitney LLP. But some warn that encryption alone isn't a security panacea. "The problem with encryption is [that] data isn't always encrypted during its life cycle, and we hear stories all the time of hackers breaking passwords," says Mark Rasch, former head of cybercrime at the Department of Justice and chief security counsel at security provider Solutionary Inc.

Beyond requiring that data be encrypted and that disclosure of a breach be timely, the law provides little guidance as to what technically constitutes a breach that would require disclosure, what level of encryption companies should deploy, and how soon after a breach a disclosure would be considered timely under the law. "A lot of these laws have holes you could drive a truck through," says John Pescatore, a VP at IT advisory firm Gartner.

Still, companies that are already on top of their security efforts shouldn't see much change. "Now is the time to review policies on protecting and accessing nonpublic customer data," says Gene Fredriksen, VP of information security at Raymond James & Associates. "It's just good business."

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll