With the deadline quickly approaching when a new privacy regulation takes effect in California, businesses-both in California and elsewhere-need to take steps now to get into compliance. The new law, which takes effect July 1, requires any organization electronically storing personal information on California residents to disclose any unauthorized access of that information. Passed in November, California Senate Bill 1386 extends beyond California's borders by including any organization with information on California residents, regardless of its physical location. Organizations that fail to comply could face civil suits and fines. As such, we've spoken with Matt Stevens, vice president of marketing and technology at Network Intelligence Corp.-one company working to help firms with this new challenge--for some practical advice about complying with the law.
What are businesses required to do as a result of this new
law?
Matt Stevens: The law requires businesses to detect and
disclose any unauthorized access of personal data stored on their
networks. Unauthorized access doesn't just apply to the hacker
breaking in from the outside and stealing credit card numbers. It
also applies to the janitor who logs on to an idle computer and to
the nosy employee who pokes around the customer database without
authorization.
Why should California businesses be concerned about the
California hacker disclosure law? What kinds of businesses are
affected?
Stevens: The law applies to any organization--business,
nonprofit, government entity-electronically storing personal data
on California residents. Personal data is specifically defined in
the legislation, but it generally refers to the combination of a
person's name with another identifying item, such as a Social
Security number, driver's license number, credit card number or
bank account. So any organization that possesses this information,
from a church that keeps member donations in a database for tax
purposes to a bookstore selling its goods online to a large
supermarket with a customer rewards program, will be affected.
Most organizations have taken the security message to heart and installed security measures to protect their electronic data. However, many of them have taken the "Maginot line" approach, meaning they've approached security as a battle between the bad guys on the outside and the good guys on the inside. Their security measures are designed specifically to keep the bad guys out. They have no mechanism to defend the data once a bad guy gets in or when someone on the inside turns out not to be a good guy. This law tells companies they can't just put a lock on the front door; they must secure the data itself. That is a far greater challenge and a hard sell to businesses that thought they were through with security when they bought a firewall.
Does this law affect businesses outside California?
Stevens: The law is designed to protect California residents
from identity theft, so its reach applies to the citizen, not the
organization. That means that any organization, anywhere in the
country, can be held liable under this law if they electronically
store information on California residents. [The law applies to]
businesses with California customers and organizations with
California members, regardless of their physical location.
Additionally, legislation similar to the California law has been
proposed in the U.S. Congress, which would make this issue relevant
to every U.S. organization storing personal data
electronically.
What can small businesses do to facilitate compliance with the law? Stevens: This law compels organizations not only to secure their networks against breaches, but also to actively monitor activity and detect any unauthorized access. In the event an organization is sued by an individual for violation of the law, that organization would essentially be required to prove a negative-that no unauthorized access had occurred. To achieve compliance with the law, an organization must diligently report and record network activity and store that information should it become necessary to produce it as evidence.
Much of the necessary information for compliance already exists in the form of logs-electronic records of the "who," "what" and "when" of network activity. Capturing and managing that information is the real challenge for organizations, especially smaller organizations with limited IT resources, as even a small network could easily produce more than 8 million logs in a single day.
Are there any businesses you are currently working with on
this topic?
Stevens: We help organizations capture, analyze and manage
their logs for a variety of purposes, including regulatory
compliance. In addition to businesses soon to be affected by this
legislation, we've worked with a number of organizations in the
health-care industry and the finance industry, which have been
dealing with similar regulations, respectively the Health Insurance
Portability and Accountability Act (HIPAA) and the Gramm Leach
Bliley Act (GLBA). Even where legislation does not exist,
organizations are interested to increase their ability to track
network activity, to increase their ability to detect security
breaches, to prevent internal attacks and to audit security
systems.
