Report security breaches: new rules aid privacy efforts, but challenge businesses - 2003 Technology & Business Resource Guide: Privacy Protection

California CPA, May, 2003 by Jerald M. Savin

Effective July 1, entities or persons doing business in California will be required to notify California residents if their personal information--contained in databases under their control--may have been acquired by unauthorized people through a security breach.

Signed into law last year, this legislation--Senate Bill 1386--is a leap forward in terms of privacy and identity theft protection. In terms of computer systems, however, this is a nightmare.

In April 2002, the state of California waited more than two weeks before notifying employees that hackers broke into the state's payroll system and compromised its payroll information. While SB 1386 grew out of this incident, it is not unique. The European Union formulated privacy guidelines in 1995, which were subsequently adopted in various forms by numerous European countries, Australia, New Zealand and Canada.

In the United States, the Health Insurance Portability and Accountability Act (HIPAA,) and the Children Online Privacy Protection Act (COPPA) impose special privacy rules in their respective areas. Among the states and federal government, however, California's legislation is the most far-reaching, although no less severe than HIPAA or COPPA.

WHO'S AFFECTED?

This law applies to any person or business doing business in California, including state agencies. It requires the notification of California residents. It does not require notification of non-California residents.

But, from a practical standpoint, who would want to notify only Californians and then be subject to criticism for failing to notify non-Californians?

This law also applies to service bureaus that maintain computerized personal information data for others.

The statute specifically identifies the following as personal information: First name or first initial and last name in combination with Social Security number, driver's license number or California identification card number.

Also considered personal information is an account number or credit or debit card number in combination with any required security code, access code or password.

CHALLENGES TO BUSINESSES

For businesses, there are at least three challenges associated with this legislation:

1. Protecting personal information from unauthorized distribution;

2. Protecting systems from security breaches; and

3. Informing the public that their personal information may have been acquired by unauthorized parties.

The statute defines a security system breach as "... unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business. Good faith acquisition of personal information ... is not a breach ... subject to further unauthorized disclosure."

If unauthorized acquisition occurs, the law requires notification of California residents that their personal information may have been compromised. The notification requirements vary according to the notification cost and the number of individuals affected by the unauthorized acquisition.

If the notification cost is less than $250,000 and the number of people affected is less than 500,000, the business can notify those affected by written or electronic notice. But if the notification cost exceeds $250,000 or the number of people affected exceeds 500,000, then substitute notice is allowed.

Substitute notices include e-mails to individuals where e-mail addresses are available, conspicuous notice on the business website and notification via major statewide media.

These requirements also apply to service bureaus that maintain computerized personal information data for others. Just because the information contained in their systems is not their own information does not relieve them from these notification requirements.

The legislation provides legal remedies for failure to meet its requirements, which open the door for class-action lawsuits. Undoubtedly this law will be challenged in court. For the exact text of the statutes and a legal opinion, consult your legal counsel.

WHAT CAN BE DONE?

There are many steps companies can take to make them-and the information they house-less vulnerable.

First, this potential exposure requires that companies encrypt personal information they store in their databases and that they limit access to the application programs that encrypts and decrypts the personal information. If the systems already provide this functionality, it's less of a problem.

If not, encryption needs to be added and the encryption/decryption mechanisms need to be secure.

Second, companies need to exercise more than prudent management of their systems to ensure that their systems cannot be compromised and if breaches are detected, contained and immediately reported to executive management.

Third, systems need to be constantly monitored. Running an IT department just got harder with this new legislation. It means serving the needs of the company; operating technical resources; and involves a never-ending struggle to maintain secure systems.