New Privacy Regulation to Take Effect July 1

With the deadline quickly approaching when a new privacy regulation takes effect in California, businesses-both in California and elsewhere-need to take steps now to get into compliance. The new law, which takes effect July 1, requires any organization electronically storing personal information on California residents to disclose any unauthorized access of that information. Passed in November, California Senate Bill 1386 extends beyond California's borders by including any organization with information on California residents, regardless of its physical location. Organizations that fail to comply could face civil suits and fines. As such, we've spoken with Matt Stevens, vice president of marketing and technology at Network Intelligence Corp.-one company working to help firms with this new challenge--for some practical advice about complying with the law.

What are businesses required to do as a result of this new law?
Matt Stevens: The law requires businesses to detect and disclose any unauthorized access of personal data stored on their networks. Unauthorized access doesn't just apply to the hacker breaking in from the outside and stealing credit card numbers. It also applies to the janitor who logs on to an idle computer and to the nosy employee who pokes around the customer database without authorization.

Why should California businesses be concerned about the California hacker disclosure law? What kinds of businesses are affected?
Stevens: The law applies to any organization--business, nonprofit, government entity-electronically storing personal data on California residents. Personal data is specifically defined in the legislation, but it generally refers to the combination of a person's name with another identifying item, such as a Social Security number, driver's license number, credit card number or bank account. So any organization that possesses this information, from a church that keeps member donations in a database for tax purposes to a bookstore selling its goods online to a large supermarket with a customer rewards program, will be affected.

Most organizations have taken the security message to heart and installed security measures to protect their electronic data. However, many of them have taken the "Maginot line" approach, meaning they've approached security as a battle between the bad guys on the outside and the good guys on the inside. Their security measures are designed specifically to keep the bad guys out. They have no mechanism to defend the data once a bad guy gets in or when someone on the inside turns out not to be a good guy. This law tells companies they can't just put a lock on the front door; they must secure the data itself. That is a far greater challenge and a hard sell to businesses that thought they were through with security when they bought a firewall.

Does this law affect businesses outside California?
Stevens: The law is designed to protect California residents from identity theft, so its reach applies to the citizen, not the organization. That means that any organization, anywhere in the country, can be held liable under this law if they electronically store information on California residents. [The law applies to] businesses with California customers and organizations with California members, regardless of their physical location. Additionally, legislation similar to the California law has been proposed in the U.S. Congress, which would make this issue relevant to every U.S. organization storing personal data electronically.

What can small businesses do to facilitate compliance with the law? Stevens: This law compels organizations not only to secure their networks against breaches, but also to actively monitor activity and detect any unauthorized access. In the event an organization is sued by an individual for violation of the law, that organization would essentially be required to prove a negative-that no unauthorized access had occurred. To achieve compliance with the law, an organization must diligently report and record network activity and store that information should it become necessary to produce it as evidence.

Much of the necessary information for compliance already exists in the form of logs-electronic records of the "who," "what" and "when" of network activity. Capturing and managing that information is the real challenge for organizations, especially smaller organizations with limited IT resources, as even a small network could easily produce more than 8 million logs in a single day.

Are there any businesses you are currently working with on this topic?
Stevens: We help organizations capture, analyze and manage their logs for a variety of purposes, including regulatory compliance. In addition to businesses soon to be affected by this legislation, we've worked with a number of organizations in the health-care industry and the finance industry, which have been dealing with similar regulations, respectively the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm Leach Bliley Act (GLBA). Even where legislation does not exist, organizations are interested to increase their ability to track network activity, to increase their ability to detect security breaches, to prevent internal attacks and to audit security systems.