The Integrity News
Vol. XII No. 16
May 9, 2003
May 12, 2003
"Companies doing business in California
have a compelling reason to bolster their
A tough new CA state law that goes into effect
July 1, 2003, will require companies that maintain
data on Calif. residents to inform individuals
of any security breaches that result in their
personal information being stolen.
Apart from those in the financial services
and health care sectors, few companies
appear to be aware of the pending rules,
according to some legal experts. That could
be dangerous, since failure to comply with
the statute's requirements could expose
companies to potentially costly lawsuits,
legal experts warned.
California SB 1386 was signed into law last year
and is being used as a model for a similar Federal
identity-theft-related bill. Both laws aim to force
companies to proactively identify security breaches
that could result in identity theft -- something that
companies have traditionally been unwilling to do.
The law doesn't spell out the administrative or
technical actions that companies might need to take
to be in compliance. But the implication is that
companies need mechanisms for detecting,
monitoring, and responding to breaches that might
compromise personal data. ONE CLEAR SAFE
HARBOR IS TO ENCRYPT DATA ON YOUR
STORAGE MEDIA. COMPANIES THAT DO
SO ARE EXEMPT FROM THE PROVISIONS
OF SB 1386.
The PR consequences of only notifying Calif. residents
of a security breach could be very bad. So, Calif. has
come up with a consumer-oriented law that could
become the next headache for businesses using
computers, all across the country."
The Investment Company Institute in Washington, DC,
has made it known that they see little to show that the
law addresses the identity-theft issue for which it was
created. "We are not sure what these notices are
meant to accomplish. What is an individual supposed
to do with that information?"
To discuss security or encryption, call The Integrity
Center at (972) 484-6140.