Law Impels Firms to Disclose Security Breaches

0

Law Impels Firms to Disclose Security Breaches

By RENE’E BEASLEY JONES

San Diego Business Journal

A state law that went into effect July 1 requires companies that maintain computer databases on clients to notify them if hackers break in and steal clients’ personal data that could be used in identity theft.

The burden on businesses is still unknown, but it means companies will bear the expense of notification if security breaches occur. And some experts believe businesses will spend more money fighting court battles over this new privacy law.

The law defines the personal data as a person’s name, Social Security number, driver’s license number, California identification card number and credit or debit card numbers in combination with security codes to access accounts.

Legislators enacted the law last year after a hacker entered a state computer system that held employment data records. Six weeks passed before employees and legislators received notification.

Andy Serwin, senior counsel at Foley & Lardner who specializes in Internet and technology law, said the state is trying to set a national standard with this law. It applies to all companies doing business in California, whether or not their headquarters are in the state.

“Businesses and a lot of lawyers who work in (Internet law) are concerned about compliance,” Serwin said.

The law doesn’t require notification if databases are encrypted, or scrambled to prevent access without authorization. However, the law doesn’t provide a clear definition of encryption, Serwin said.

He expects the law to spur more lawsuits against companies.

To protect themselves, businesses can encrypt data, install technology to lock out hackers, and limit the times and amount of personal information taken from customers, Serwin said.

Fred Main, senior vice president and counsel at the California Chamber of Commerce, said the business community worked with the Legislature last year to make the law less onerous.

“There are always workability issues in any bill that passes,” Main said.

Union Bank of California, which has more than 1 million unique checking accounts, is well positioned to safeguard its clients’ personal information and assets, according to Bob Justus, senior vice president of corporate information security and contingency planning.

The new law won’t impact the way Union Bank handles privacy matters because notification was standard practice there before the law was enacted. “We would consider something a breach even if (hackers) got encrypted data,” Justus said.

Abe Singer, who is responsible for computer security for the San Diego Supercomputer Center, said smart attackers can read some encrypted data or find the password to be able to read it, depending on the complexity of the program.

“There are strong door locks and weaker door locks,” Singer said. “The stronger ones are harder to pick.”

No posts to display