California S.B. 1386 [California Civil Code Sections 1798.29 and 1798.82 to 1798.84 - dks 10/24/03] takes effect 7/1/03, and mandates that those doing business in California disclose any security breach in which a California resident's "unencrypted personal information" may have been compromised. The word "when" appears in the definition of "personal information," defining that term to mean "an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted." [emphasis added]
The listed data elements include:
* social security number
* drivers license number or California ID card number
* account number, credit or debit card number "in combination with any required security code, access code, or password that would permit access to an individual's financial account."
In this context, if "when" means "so long as," it may affect the decision of many companies to encrypt information about customers, visitors, claimants or others and to encrypt it while resident in their database, not just while in communication transit. Merely encrypting data while it is moving between customer and institution, using SSL or a VPN for example, may not be sufficient. A breach that results in unauthorized persons gaining access to an "at rest" database of unencrypted data may be reportable under the new law.
Interesting S.B. 1386 questions are raised by recent reports of the BugBear.B virus, which enters consumer PCs, then searches for the occurrence of matches with several thousand electronic bank addresses that BugBear.B already has (God knows from where). If it gets a match, the virus attempts to capture passwords from the consumer's data store and emails them to ten addresses (presumably the perpetrator's). While this may expose the bank and consumer to unauthorized access of the consumer's account, it does so without hacking into the bank's system.
In a June 6, 2003 Investor's Business Daily article "California Law Raises Bar for Data Security," Donna Howell quotes several attorneys and database security executives in a discussion of the various ways of protecting affected data without prohibitive costs. Other discussions of the law can be found at Security Focus, where some reader responses raised issues of possible conflict with the federal interstate commerce clause and the usual jurisdiction questions of cross-border commerce.
The BugBear.B cyber-attack could raise several interesting questions under S.B. 1386:
* Query: Does S.B. 1386 require the bank that knows of such a compromise to notify California-resident consumers of the possibility they have been the victim of "BugBear.B"?
* Query: If so, which banks must so report? The stories about BugBear.B indicate that over 1200 separate banks' addresses are already carried in the virus' comparison reference list. Must all of them report?
* Query: If so, to which consumers must those banks report? The virus is said to be spreading like most viruses: rapidly and without leaving a trail for investigators to determine which consumers have been infected.
* Query: In such a circumstance, is notification by publication sufficient? The statute has specific provisions for "substitute notice" which include email, media notification and posting on the institution's own website. But to be allowed substitute notice, the statute requires the notifier to "demonstrate" that the cost of specific notice will exceed $250,000 or must address a class of persons greater than a half million.
* Query: Does that mean that 1000+ banks may have to spend up to $250,000 each providing actual personalized notice of the BugBear.B attack? That's up to a quarter billion dollars. For one virus.
Is this a case in which the cost of the notice due to the statute may be greater than the cost of the loss by identity theft? Could the cure be more costly than the disease?
All of these questions and more will be grist for the mill of lawyers across the US, and behond, wherever companies do business in California with California residents. As we watch the wheels turn, there may be many interesting unintended consequences.
Thanks to BeSpacific for the word that this law appears to be a result of the State of California's own failure to disclose a hack of its own database in April 2002, as reported in the Contra Costa Times.
Posted by dougsimpson at June 11, 2003 02:05 PM | TrackBack