|
California Senate Bill 1386
Overview
California Senate Bill 1386 was introduced in July 2003. The bill was the first attempt by a state legislature to address the problem of identity theft. In short, the bill introduces stiff disclosure requirements for businesses and government agencies that experience security breaches that might contain the personal information of California residents. It is expected that many organizations in the Unites States (and possibly worldwide) are subject to these requirements.
Requirements
"Personal Information," as defined in the Bill, includes the person's first name (or initial) and last name in combination with a unique personal identifying such as a driver's license number or social security number. The bill also limits coverage to personal data that is "un-encrypted."
The bill applies to any person or business that conducts business in California and owns or licenses computerized data that contains personal information or maintains such computerized data for another. The law also applies to California state agencies.
According to the Bill, each organization must follow certain disclosure obligations following the discovery of a security breach that may have compromised customer data. The law states "Notice must be given to any resident of California whose PI is or is reasonably believed to have been acquired by an unauthorized person." Notice must be given in "most expedient time possible" and "without unreasonable delay" subject to certain provisions that define what reasonable is for your organization.
Notifications can be in either written or electronic form. If individuals cannot be notified due to sufficient address information or prohibitive costs of notification, then organizations must take other measures, such as a "conspicuous notice on the public web site" and notification to the major media.
Policy Implications
While the law is limited to the "personal data of California residents", few businesses have the ability or desire to protect customer data from one geographic region over another. So there are a few policy areas to consider for compliance with this bill.
Data Encryption Policies - Perhaps the simplest way to deal with the bills requirements is to have a policy of encrypting customer data while it is stored, since encrypted data does not require disclosure. However, this policy will likely not cover you unless you also have policies to encrypt data in transit.
Data Classification Policies - Your policies should clearly indicate the level of protection required for various information types. In this case, personal customer information would be highly sensitive data that requires a higher level of protection. Does your organization have data classification policies? If so, do they specifically mention these types of customer data?
Incident Response Policies and Procedures - Obviously, an organization should have existing incident response policies, including specifications about what forensic data should be saved and it what way. The incident response policies should include a minimum required time frame for forensic or other analysis to help determine your organizations "reasonable" notification time. Overall, it is better to have your own documented procedures than to allow a courtroom to determine what "reasonable" was.
Incident Disclosure Policies - The best case scenario is to have specific incident disclosure policies that address the bills requirements. These policies would include discussion of the types of breaches, the data potentially lost in the breaches, and the proper people and channels responsible for notification of outside agencies.
|
