A groundbreaking California law that takes effect this week compels any business or state agency that suffers a computer security breach to immediately notify residents if their personal information is compromised . . . or risk a lawsuit.
Moreover, the California Database Security Breach Act is having an effect far beyond that state because it applies to any business - no matter where it's located - if it has customers in California. The first law to mandate such customer notifications, it also requires disclosure whether a break-in is confirmed or merely suspected.
U.S. Sen. Diane Feinstein (D-Calif.) has indicated interest in fostering a national law along the same lines.
While the legislation has generated much opposition from the business community, some companies say they're ready for the law because they already follow its basic premise.
"There have been instances where user passwords were inadvertently accessible," says eBay spokesman Kevin Pursglove. "Whenever a breach happens, and it's happened a number of times, we have always notified our customers about any of these problems."
He said eBay, which has its headquarters in San Jose, encrypts credit card numbers and customer information. Under the California law, a computer breach involving theft of encrypted sensitive customer data would not require notification to California customers.
Nevertheless, the law has IT managers nationwide bolstering network security and wringing their hands over how to respond should outside hackers or corrupt insiders gain access to customer databases that might include the personal information of Californians. And in situations in which service providers are processing sensitive customer data over the Web for their customers - banks, for example -- questions about liability are cropping up far outside California.
"As an application service provider, we assume we would be responsible for notifying the banks if a breach occurred, and the banks would notify their California customers," says Eric Beasley, senior network administrator at Baker Hill in Indianapolis. Beasley's company provides online loan-origination applications for about 150 banks, including California's Union Bank. It also acts as the front end for the Fair, Isaac & Co. credit-modeling application LiquidCredit.
"We're just beginning to understand how the California law is applicable to us," Beasley says, noting that there might be a new legal environment unfolding where financial institutions will want to write into contracts that third parties must notify them of any security breach, or possible security breach.
The question of third-party responsibility is suggested but not clearly articulated in the new law, says Dina Davalle, an attorney at Luce, Forward, Hamilton & Scripps. The law does cover those who license or maintain the customer data, she notes. But as to what they should be compelled to do in a security breach, "it's a little vague," she says.
The law says disclosure of a security breach to California residents must come immediately, and lawyers say that means nothing more specific than within a reasonable period of time.
The law is intended to prevent identity theft, but a number of trade groups opposed the legislation as being wrong-headed. Some say that by forcing businesses to disclose suspected breaches, it will frighten customers even when no loss of personal information occurred.
"And it will be a field day for hackers because much of the thrill for them is the notoriety," says Tami Salmon, a Washington, D.C., attorney with Investment Company Institute, which represents more than 8,000 investment firms and has stated opposition to the California bill.
"It has too low a threshold for when a company has to go to the notification process," says Harris Miller, president of trade group Information Technology Association of America, which has more than 500 high-tech members. "You'll have to notify customers when nothing may have actually happened. The law will have a lot of negative consequences for companies and consumers."
Many California-based companies have buttressed security in anticipation of the law going into effect this week.
"We've reviewed our security structures and we're working to create awareness about this in the company," says Tammy Lowe, CIO at Novato, Calif., house and garden retailer Smith & Hawken, which has print catalogs, an e-commerce Web site and brick-and-mortar stores throughout the country.
Like Baker Hill, Smith & Hawken opted for the intrusion-prevention approach in preparing for the advent of the security-breach law. The retailer added host-based software called Primary Response from Sana Security across its servers. Primary Response takes about a week to learn patterns of normal behavior and can then detect and block attempts to subvert a server.
Baker Hill has taken steps such as installing a gateway appliance from Teros that can block and report on any suspicious attempts to access Web-based applications. Beasley says the Teros application-layer intrusion-protection appliance alleviates the need to immediately rush to patch for newly discovered vulnerabilities in software, which are often the holes that hackers use to breach a system.
A key question the new law raises is whether companies should be prepared to disclose a breach not only to Californians but to other customers. Smith & Hawken is leaning toward notification for Californians only. Some attorneys say that sticking too closely to the letter of the law might be problematic.
"The law only requires notification of California residents, but providing notice strictly to known California residents may be a risky approach for a company to take," attorney Davalle says. "What if a company's database is outdated and a customer who is listed as a non-California resident has moved and is now a California resident?"
She also points out that notifying only Californians could create a public relations nightmare.
The law does say that the customer-notification process can be delayed if companies take their problems to law enforcement and are told that going public would hinder an investigation.
Acceptable methods of disclosure are spelled out: a letter, or e-mail if a customer has authorized that beforehand. If the cost to make a disclosure exceeds $25,000 or involves more than 500,000 customers, the law allows other possibilities, including a conspicuous Web posting or generating press coverage.
Learn more about this topicIdentity theft: New California law will impact campus departments
Berkeley Computing & Communications, Spring, 2003.