California’s prior data breach law was the first in the nation and turned out to be a model that other states used for their own data breach laws. Whether the new law will have that same effect remains to be seen but, just in case, here is the 30,000 feet view of what it does:
A copy of the new statute, SB 24, essentially does the following:
- Applies to anyone in California that owns or licenses computer data containing non-public personal information (last name + first name or initial + SS#, DL#, ID#, acct, debit, access #s, medical info, or health ins info)
- Applies upon discovery or notification of a data breach of “unencrypted personal information”
- Requires notice (written/electronic/posting) in the most expedient time possible and without unreasonable delay
- Requires that data breach notifications specifically contain
- general description of the incident
- type of information breached
- time of the breach, and
- toll-free telephone numbers and addresses of the major credit reporting agencies in California
- whether notification was delayed because of law enforcement
- Requires data holders to send a copy of the notice to the Attorney General if the breach affects more than 500 people in California
- (and a few more pages of details I didn’t cover)
Most of this information was taken from a nice article was written by Tanya Forsheit of InfoLawGroup entitled California Amends Data Breach Law – For Real This Time. Go check it out, this could be a model for things to come!
Interesting stuff. In a lot of ways, I’m glad my foray into I/T security was, shall we say, cut short. (Getting fired kinda does that. 😉 ) With the pathetic state of security on our credit card systems, we could’ve been submitting DAILY violation reports!
Yeah John you make a good point, getting fired does do that! As for the state of security, yes, it is all in a pretty sad state and I am not sure it is getting any better any time soon.
Two key, unaddressed issues in most state data breach laws are what, if any, obligation the agency, person or business has (1) to encrypt sensitive data to avoid a data breach in the first place, and (2) to monitor its systems to determine whether there has been a data breach.
Section 1798.82 of California’s Civil Code, for example, imposes on a person or business a notification duty “following discovery or notification of the breach in the security of the data.” It defines “breach of the security of the system” to mean unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. The notification must be given to state residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The statue does not require that data be encrypted, nor does it require active monitoring of data security. If the person or business makes no effort to monitor or audit its systems for a data breach, a notification requirement would not arise unless some third party informed the person or business that unencrypted data had been compromised. If personal information was obtained via hacking, the person or business would not necessarily know the information had been compromised. The person or business likely would never know if data were compromised via interception of unencrypted email, because detecting interception is extremely difficult. The statue encourages encryption, because the notification is not required for encrypted data, but it does not require encryption.
Massachusetts and Nevada have taken a different approach – requiring encryption of personal data. That is a better model than simply reporting a data breach after the fact – no matter how detailed the notification. Informing individuals that they might be harmed by a data breach is “too little, too late.” It does no good to lock the barn door after the horses have left. Even better would be to impose a duty on businesses to encrypt person data at rest and in transit, to actively monitor their systems for intrusion, and to periodically audit their cyber security practices (including personnel training).