State law will force companies nationwide to make security breaches public
A California law that takes effect July 1 will force companies inside and outside the state to do what they historically have been loath to do: disclose embarrassing information-security breaches.
If companies believe that their California customers' personally identifiable financial information may have been accessed by an unauthorized party, they must inform those customers of the breach. Disclosure may be delayed if law-enforcement officials deem the disclosure could jeopardize an investigation.
Of 376 organizations polled for the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, each experiencing a breach in the past year, half say they kept the incidents quiet. Thirty percent of those surveyed reported the breach to law enforcement, while 21% sought legal counsel. A majority of organizations say negative publicity was the reason for not disclosing security breaches to law enforcement.
Now organizations that do business with Californians won't have a choice--and the same may soon be true for companies that don't. A federal law similar to California's is in the works: Sen. Dianne Feinstein, D-Calif., is readying a federal bill based largely on the California law.
Security experts say most companies, especially those outside the already heavily regulated health-care and financial industries, have done little to prepare for the new law. "Companies underestimate the impact of the law," says Ryan McGee, director of product marketing for Internet security company Network Associates Inc.'s McAfee division. He says his company has received few inquires from customers about how to comply. "It will take lawsuits and serious damages before many businesses become concerned about it," McGee says.
The law, which passed last year, is only now grabbing the attention of companies outside California. "We found out that it applies to us a few weeks ago," says a security specialist at a Northeast consumer-goods manufacturer. "We're looking at how we can better encrypt customer information and possibly segment customer names from their financial information so a hacker would have to breach two databases."
That's a good start. "If data is encrypted at the time of the breach, you should be OK," says Nick Akerman, partner at law firm Dorsey & Whitney LLP. But some warn that encryption alone isn't a security panacea. "The problem with encryption is [that] data isn't always encrypted during its life cycle, and we hear stories all the time of hackers breaking passwords," says Mark Rasch, former head of cybercrime at the Department of Justice and chief security counsel at security provider Solutionary Inc.
Beyond requiring that data be encrypted and that disclosure of a breach be timely, the law provides little guidance as to what technically constitutes a breach that would require disclosure, what level of encryption companies should deploy, and how soon after a breach a disclosure would be considered timely under the law. "A lot of these laws have holes you could drive a truck through," says John Pescatore, a VP at IT advisory firm Gartner.
Still, companies that are already on top of their security efforts shouldn't see much change. "Now is the time to review policies on protecting and accessing nonpublic customer data," says Gene Fredriksen, VP of information security at Raymond James & Associates. "It's just good business."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.