CA Law Requires Firms Disclose Security Breaches

A lot of attention is being paid to California's upcoming "anti-spam" law which takes effect Jan.1, 2004. But are you up to speed on the law adopted this summer that requires all companies doing business in California to notify their California customers, partners or other business relationships when they suspect their non-encrypted information has been compromised and/or stolen? IDN takes you through how to protect yourselves, and your company.

Tags: Law, Security, Customer, California, Response, Encrypting, Notification,


A lot of attention is being paid to California's upcoming "anti-spam" law which takes effect Jan.1, 2004.

But are you up to speed on the law adopted this summer that requires all companies doing business in California to notify their California customers, partners or other business relationships when they suspect their non-encrypted information has been compromised and/or stolen?

In this story, IDN provides enterprise developers with insights on how the new law could likely change their jobs, and the ways their company execs think about -- and implement -- security.

The key element of this law is that the data compromised or acquired must be non-encrypted -- should your IT shop suffer a security breach into an encrypted database of customer files, the law does not apply.

In this story, IDN provides enterprise developers with insights on how the new law could likely change their jobs, and the ways their company execs think about -- and implement -- security. We'll look at:
  1. The actual law and its requirements;
  2. How developers/operations managers should adjust their internal systems to prevent intrusion; and
  3. What steps to take if you suffer a cyber-attack and need to comply with the new law.


I. Cracking the "Civil" Code

In a nutshell, the new California law (Civil Code 1798.82) states: Any person or company doing business in the state of California is responsible for notifying California residents of security breaches to their non-encrypted information. Most importantly, The actual security breach does not need to occur in California.

This extended reach applies only as long as a company is doing business in the state, maintaining a physical office or retail office, contracting with California vendors or even simply acting as a registered agent for the state (and located elsewhere). If you are strictly a mail-order business, with no ties to California except your online customers, this law may not apply to you at all. Lawyers are still trying to decode this aspect of the law.

Interestingly, the law does not specify what this mandatory notification must entail, or whether or not it must be easily understood by the customer. Therefore, legal and technical experts IDN has spoken to for this article say most corporations are going to take the path of least exposure; i.e., letters mailed to affected customers. Also, the law doesn't specify information that was acquired due to unauthorized conduct; thus doesn't necessarily require a company to disclose every act of employee misconduct.

The pending law is a sign of things to come. Nationwide, the Federal Trade Commission (FTC) is aggressively cracking down on corporations, enforcing the edict that requires IT companies to maintain sufficient security and response programs to protect their customer data.

II. Top Tips for Avoiding Trouble -- Know Your Data
What can you do? Since the law is in its infancy, no industry best practices have been developed, but some leaders in the field offered recommendations on plotting a savvy course in self-protection.

Marc Zwillinger, chair of the Information Security and Anti-Piracy practice group at Sonnenschein Nath & Rosenthal in Washington D.C., offered developers and IT managers some ways to comply with the new law -- and avoid potential lawsuits. Chief among these suggestions: Know your data. To comply with the law, four (4) key elements will help determine how much prep work is necessary, and how likely you will be to suffer an attack that falls under the scope of the law.

These keys are:
  1. Where your data is housed;
  2. What it contains (customer and/or partner data, or internal files);
  3. What other systems your data shares with (integration, multi-DB queries, etc.); and
  4. What databases are encrypted (or unencrypted).


"Most corporations don't routinely segregate data related to California residents from other customer or employee data. This [law] may have a significant effect on how companies across the U.S. handle IT issues," Zwillinger told IDN. As far as the law is concerned, "data" is defined as the first name, last name and any combination of the following: Social Security number, driver's license number, account number, debit or credit card information.

Zwillinger offered some other suggestions:

  • Identify key systems containing personal information and activate/enhance logging capabilities on such systems.

  • Consider encrypting all stored customer data. Determine whether the cost to the company is worth IT's time and effort to employ total database encryption practices. If a dispute proceeds to court, IT must prove the data was encrypted at the time of the security breach.

  • Deploy new technology designed to provide forensic detail about network conduct ) and data-flow pattern anomalies a href= www.lancope.com>). Timely and accurate answers to data acquisition are critical.

  • If you don't already have one, create a comprehensive Incident Response Plan that details how IT will handle security breaches and other catastrophic incidents on the corporate network. Make sure that this plan includes a detailed notification procedure for addressing affected customers, should IT detect a security breach. The law provides for more flexibility if an existing IT policy for responding to incidents and notifying customers is already in place.

  • Include a provision in your IT response plan that addresses a period of investigation and response to the security incident prior to customer notification. This will allow reasonable time to address the security breach and restore system integrity before any mandatory notification begins. The law allows for IT to utilize an existing response plan as an alternative to immediate notification -- if the plan has necessary provisions in place.

  • Review all existing third-party contracts involving the transfer of sensitive personal data to ensure that they contain provisions for notification, investigation and the right to participate in or control reporting of incidents involving customer data. (Note: This is especially important if IT has outsourced data storage and has no visibility into the storage network's compliance policies.)

    III. Making Sure You Comply -- If Attacked

    While Zwillinger emphasizes that prevention and a good response plan are crucial, another security expert focuses on an additional component: compliance.

    "Preventative measures are important, but do not constitute compliance," affirms John Patzakis, President and CEO of Guidance Software. IT staff, he advises, need systems that can detect the exact time an incident takes place, the possible compromise of encrypted data, and possible compromise of non-encrypted data applying to California customers. "Administrators must have a forensic plan in place to detect these incidents, especially internal incidents and fraudulent acquisition of customer data. Computer forensics determine what and when specific data was compromised," Patzakis advises.

    Patzakis recommends taking these further steps toward security:

  • Customizable scripts and filters provide high levels of assurance when monitoring mission-critical business units such as sales and finance. The ability to backtrack through deleted and/or damaged files allows for a complete view of data transactions in question.

  • Computer forensics provide advanced logging capabilities to detect and archive digital events occurring on the network. The timing of events, and what files were accessed/transported, will be readily apparent during analysis of the incident. This also allows for real-time visibility of network activity, enabling the administrator to note live data transfers for later investigation with almost invisible impact to network performance.

  • File parameters and signifiers allow for the instant recognition of encrypted vs. non-encrypted files, and provide a full history of file access and activity.


You can see the full text of the coming California law (Civil Code 1798.82) at the state's website and get further comment on the law's impact at The Segal Company, a high-tech legal consultancy.

Disclaimer: This article is not intended to take the place of informed legal advice and/or counsel. The facts and suggestions contained herein are for informational purposes only and should be expanded upon by trusted legal sources. Should your company need specific advice and/or assistance in preparing a security response plan that is compliant with current laws and regulations, or have further questions regarding SB1386, it is recommended that you seek professional counsel.






back