Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

  New California Law to Impact Global Business - SB 1386  


   
  New California Law to Impact Global Business - SB 1386
Posted: Apr 22 2003
By Erik Laykin, President OnlineSecurity, Inc.

California Governor Gray Davis (D) signed legislation known as SB1386 which will come into effect in the State of California on July 1, 2003 which mandates that all entities conducting business in California through electronic means must report breaches of security which could effect California residents. These breeches of security can relate to a number of different scenarios in which complete or partial records of a California residents' personal information is compromised. The bill particularly references instances in which the data warehouse or hard drives of a company whose security has been breached and which contain records of items such as a Social Security number or account numbers associated with unique identifiers such as PINs (personal identification number).

Principal author California State Sen. Steve Peace has hoped that this new personal information and privacy bill will provide California residents with peace of mind and a more secure platform for interacting with electronic databases. The new law accounts for systems and databases maintained by state agencies such as the Department of Motor Vehicles and local law enforcement agencies as well as any person or business that conducts business in California.

Several industry trade groups such as the Information Technology Association of America (ITAA) and the Software and Information Industry Association (SIIA) expressed their opposition to the bill for numerous reasons which included their wish that these forms of broad privacy regulatory actions would be undertaken to the federal government.

Here California has bucked the trend set by President Bush's Critical Infrastructure Cyber Security Team where it was 'recommended' as opposed to 'legislated' that compromised companies confidentially contact federal or state law enforcement agencies to report an breach of security.

It is assumed, that California as a closely watched state will lead numerous other states into enacting similar legislation. The President of the Information Technology Association of America, Harris N. Miller expressed concern that, "a bill such as this one in California, when combined with bills from other states-states which are likely to follow the California bellwether-will produce an untenable 'crazy quilt' of state by state piecemeal and inconsistent regulation with which it will be difficult or impossible to comply with simultaneously." As an association dedicated to promoting the position of its 500 members which include some of the largest names in the information technology industry such as Hewlett-Packard, Microsoft and IBM the association also expressed concern that the bill has placed no limitation of liability on the possible penalties that persons or businesses operating in California could be subject to in lawsuits that arise from their failure to properly disclose breaches of their security.

While the law enforcement community has generally been positive towards the bill, there is widespread concern that its application will be inconsistent and difficult to enforce. Industry analysts have complained that it is virtually impossible with today's technology to determine who is and is not a California resident when all you may have to identify them is an IP address or username and password.

The President of the Software and Information Industry Association Mr. Ken Wasch, went further to express the association's concern that SB 1386 will, "in all likelihood, conflict with the requirements of federal laws such as Gramm-Leach-Bliley and the Children's Online Privacy Protection Act (COPPA), potentially subjecting companies to conflicting liability requirements.

Many companies, in preparation for the upcoming bills activation have expressed concern that the bills fail to recognize how to determine that a data subject is a resident of California. "Firms that maintain national or international databases would find it impossible to determine California location based on e-mail or IP addresses. Even physical address records are inadequate to meet the standard in the bills, as large numbers (17%) of U.S. residents change their addresses every year." Said Ken Wasch.

Depending on the States' aggressiveness in enforcing this new law, consumers may find that they become the frequent recipient of email and postal notices indicating that they 'may have' been exposed to random or intentional hack assaults on their favorite online business. Glen Hastings of OnlineSecurity said; "Whether you are shopping on Amazon.com, Vons.com or Wells Fargo.com, the practical result of this bill may be a high incidence of false or confusing alarms to citizens further eroding consumer confidence in electronic commerce and online data sharing."

While the bill promises to promote a decrease in identity theft, (Los Angeles County Sheriff's Department reports that the 1,932 identity theft cases it received in year 2000 represented a 108% increase over the previous year's caseload) the large burden placed on businesses operating in California either physically or virtually through the World Wide Web may increase total costs to consumers and allow for massive consumer based class-action litigation for actual or perceived damages based on breaches of security which may or may not have resulted in a release of confidential information.

To illustrate the potential impact that the bill may have on a small Web based business operating from a state other than California; "To comply with the necessary security precautions from a hardware and software perspective, business may need to invest several thousand dollars to upgrade their equipment or infrastructure to sufficiently track any potential intrusions. If a small Web business with several thousand customers of which some reside in California hosts their infrastructure, databases and website with an outsourced 'managed hosting service' or ASP, will that business be liable for a breach of this law if they're hosting service does not notify them that their security has been breached?" asked Charlie Balot, CEO of OnlineSecurity.

Online Security expert Charlie Balot further said, "From July 1st 2003, any business with any type of Web presence that allows the public to deposit personal information on their site, or collects personal information will be required by practice and common sense to institute a compliance program which will include security and privacy policies so that they may properly mitigate the initial risk associated with failing to heed the requirements in SB 1386. It would also be my qualified assumption that many small to medium-size businesses will see a substantial increase in labor costs associated with maintaining both a cross referenced index of which customers are residents of California and into monitoring of the security of their Web based businesses architecture or a 24/7 basis." Balot further predicted; "This may be a boom to the Insurance industry, which has been waiting for a compliance law with teeth which will convince corporate customers that they must be adequately protected from this type of liability by having a comprehensive e-commerce policy."

California business associations have expressed concern that this type of regulation unfairly taxes California businesses in an environment where foreign owned businesses are beyond the reach of bills such as SB 1386 but only a keyboard click away for California consumers.

Many questions remain as to how the State of California will enforce SB 1386 on entities such as online gambling websites which are often compromised and always hosted and owned offshore. Additionally, the penalties and risks of operating in California will be heightened in such industries as the health and medical profession where HIPPA regulation also calls for substantial fines for compromised records.

Information security experts seem to agree however, that cautious database management coupled with strong security and privacy policies are primary goals that online enabled businesses should strive for regardless of the impending law. Several national consulting and integration firms have been quietly promoting 'best practices' within the compliance space as it relates to electronic commerce. Michael Caulfield, General Counsel of Computer Horizons, Inc. (NASD: CHRZ) which operates a well recognized compliance program throughout the United States commented; "While Federal, State and International laws are taking shape, corporations have been bewildered to comply with what appears to be several moving targets. However, with a clear mandate to protect the consumer at all junctures, corporations will be well served to get ahead of the compliance curve and begin assessing their electronic infrastructure with the objective observation of a heart surgeon. In today's environment no corporation can be aloof to the criminal and regulatory threats and pitfalls which lurk around the corner on the 'dark side' of the Web".

Go Top