Skip Links

Calif. breach-disclosure law raises questions, concerns

By , Network World
June 30, 2003 12:10 AM ET

Network World - A groundbreaking California law that takes effect this week compels any business or state agency that suffers a computer security breach to immediately notify residents if their personal information is compromised . . . or risk a lawsuit.

Moreover, the California Database Security Breach Act is having an effect far beyond that state because it applies to any business - no matter where it's located - if it has customers in California. The first law to mandate such customer notifications, it also requires disclosure whether a break-in is confirmed or merely suspected.

U.S. Sen. Diane Feinstein (D-Calif.) has indicated interest in fostering a national law along the same lines.

While the legislation has generated much opposition from the business community, some companies say they're ready for the law because they already follow its basic premise.

"There have been instances where user passwords were inadvertently accessible," says eBay spokesman Kevin Pursglove. "Whenever a breach happens, and it's happened a number of times, we have always notified our customers about any of these problems."

He said eBay, which has its headquarters in San Jose, encrypts credit card numbers and customer information. Under the California law, a computer breach involving theft of encrypted sensitive customer data would not require notification to California customers.

Nevertheless, the law has IT managers nationwide bolstering network security and wringing their hands over how to respond should outside hackers or corrupt insiders gain access to customer databases that might include the personal information of Californians. And in situations in which service providers are processing sensitive customer data over the Web for their customers - banks, for example -- questions about liability are cropping up far outside California.

"As an application service provider, we assume we would be responsible for notifying the banks if a breach occurred, and the banks would notify their California customers," says Eric Beasley, senior network administrator at Baker Hill in Indianapolis. Beasley's company provides online loan-origination applications for about 150 banks, including California's Union Bank. It also acts as the front end for the Fair, Isaac & Co. credit-modeling application LiquidCredit.

"We're just beginning to understand how the California law is applicable to us," Beasley says, noting that there might be a new legal environment unfolding where financial institutions will want to write into contracts that third parties must notify them of any security breach, or possible security breach.

The question of third-party responsibility is suggested but not clearly articulated in the new law, says Dina Davalle, an attorney at Luce, Forward, Hamilton & Scripps. The law does cover those who license or maintain the customer data, she notes. But as to what they should be compelled to do in a security breach, "it's a little vague," she says.

The law says disclosure of a security breach to California residents must come immediately, and lawyers say that means nothing more specific than within a reasonable period of time.

The law is intended to prevent identity theft, but a number of trade groups opposed the legislation as being wrong-headed. Some say that by forcing businesses to disclose suspected breaches, it will frighten customers even when no loss of personal information occurred.

"And it will be a field day for hackers because much of the thrill for them is the notoriety," says Tami Salmon, a Washington, D.C., attorney with Investment Company Institute, which represents more than 8,000 investment firms and has stated opposition to the California bill.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News