California legislators continue to lead the way in the domain of data breach law, with a new bill up for approval that would require organizations to details what types of information they've lost, and how.
A lot of people have a lot to say about California in the political sphere these days, as from its looming energy crisis to its heated social debates, the golden state is living through a tumultuous period.
Yet, in the area of mandated data breach reporting, there’s no question that California continues to lead, and we should all be thankful to legislators in the massive state for this.
Let’s not forget, without California’s once-controversial SB 1386 (passed in 2003) breach disclosure law, we may not have begun hearing about the many serious incidents that subsequently caused widespread re-examination of our data security policies – or at least not learning about them as early as we did.
And that leadership continues as dedicated legislators such as Silicon Valley’s own State Senator Joe Simitian continue their tireless efforts to improve consumer rights related to electronic data security – and at the same time push organizations to work harder to protect the sensitive information they collect.
Most recently, Simitian and some of his esteemed colleagues introduced California SB 1166, which was passed by the California state legislation last week and awaits approval by Gov. Arnold Schwarzenegger. In the state senator’s own words the bill seeks to go beyond the previous measures and “strengthen the state’s security breach notification system by establishing core content” involved in each breach.
In short, the new bill mandates that organizations report the types of personal information exposed in any breaches that they disclose, along with revealing the date or estimated date of the breach, a general description of the incident itself, and include the necessary contact information for credit reporting agencies if the breach includes specific types of data (namely social security numbers and California driver's license/ID card information).
In addition, the involved organization will be required to describe any efforts that it is undertaking to protect the individuals whose data was affected by the breach. In the case of any breach that involves more than 500 personal records, there is also a requirement to notify the California State Attorney General’s office.
This is the level of detail that we should expect from these trusted stewards of our personal data when they make mistakes, and while we do not have a national data breach law, if passed, I’d imagine that other states will follow the lead of SB 1166 – just as they have mirrored California’s other data breach laws in the past.
The relevance to our potential clients at Core is simple. They can no longer wait for a massive breach to occur to notify the authorities and affected customers. The threshold has been lowered to 500 residents and pushed further away from the old norm wherein if the data was encrypted you need not notify anyone.
We all know that encryption helps quite a bit, but it is not a sufficient failsafe.
As a result of this type of law, organizations must truly become more proactive in not only benchmarking and continuously monitoring the effectiveness of their existing security controls, but also in maintaining better situational awareness as to how data can be misappropriated from their IT systems.
In light of such a measure, organizations must be able to demonstrate that their security controls are effective during and after a breach; not surprisingly we hear at Core believe that pen testing is the best way to do just that.
This is about creating the types of controls and protections that will not only defend the identities of all U.S, citizens, but also help organizations reach the point where their business, and our economic security, is far better insulated from the many cyber-criminals and state-backed actors, as well as terrorists, who seek to undermine our financial security and societal stability through their near ceaseless attacks on our IT systems.
SB 1166 and other bills of its ilk may serve as a strong dose of IT security medicine that some organizations would prefer to avoid; however, I feel this is just the sort of legislative activity that will directly improve our personal and national health in the future.
Pass the spoon.
-Tom Kellermann, Vice President of Security Awareness