With the deadline quickly approaching when a new privacy
regulation takes effect in California, businesses-both in
California and elsewhere-need to take steps now to get into
compliance. The new law, which takes effect July 1, requires any
organization electronically storing personal information on
California residents to disclose any unauthorized access of that
information. Passed in November, California Senate Bill 1386
extends beyond California's borders by including any
organization with information on California residents, regardless
of its physical location. Organizations that fail to comply could
face civil suits and fines. As such, we've spoken with Matt
Stevens, vice president of marketing and technology at Network
Intelligence Corp.-one company working to help firms with this
new challenge--for some practical advice about complying with the
law.
What are businesses required to do as a result of this new
law?
Matt Stevens: The law requires businesses to detect and
disclose any unauthorized access of personal data stored on their
networks. Unauthorized access doesn't just apply to the hacker
breaking in from the outside and stealing credit card numbers. It
also applies to the janitor who logs on to an idle computer and to
the nosy employee who pokes around the customer database without
authorization.
Why should California businesses be concerned about the
California hacker disclosure law? What kinds of businesses are
affected?
Stevens: The law applies to any organization--business,
nonprofit, government entity-electronically storing personal data
on California residents. Personal data is specifically defined in
the legislation, but it generally refers to the combination of a
person's name with another identifying item, such as a Social
Security number, driver's license number, credit card number or
bank account. So any organization that possesses this information,
from a church that keeps member donations in a database for tax
purposes to a bookstore selling its goods online to a large
supermarket with a customer rewards program, will be affected.
Most organizations have taken the security message to heart and
installed security measures to protect their electronic data.
However, many of them have taken the "Maginot line"
approach, meaning they've approached security as a battle
between the bad guys on the outside and the good guys on the
inside. Their security measures are designed specifically to keep
the bad guys out. They have no mechanism to defend the data once a
bad guy gets in or when someone on the inside turns out not to be a
good guy. This law tells companies they can't just put a lock
on the front door; they must secure the data itself. That is a far
greater challenge and a hard sell to businesses that thought they
were through with security when they bought a firewall.
Does this law affect businesses outside California?
Stevens: The law is designed to protect California residents
from identity theft, so its reach applies to the citizen, not the
organization. That means that any organization, anywhere in the
country, can be held liable under this law if they electronically
store information on California residents. [The law applies to]
businesses with California customers and organizations with
California members, regardless of their physical location.
Additionally, legislation similar to the California law has been
proposed in the U.S. Congress, which would make this issue relevant
to every U.S. organization storing personal data
electronically.
What can small businesses do to facilitate compliance with
the law? Stevens: This law compels organizations not only to
secure their networks against breaches, but also to actively
monitor activity and detect any unauthorized access. In the event
an organization is sued by an individual for violation of the law,
that organization would essentially be required to prove a
negative-that no unauthorized access had occurred. To achieve
compliance with the law, an organization must diligently report and
record network activity and store that information should it become
necessary to produce it as evidence.
Much of the necessary information for compliance already exists
in the form of logs-electronic records of the "who,"
"what" and "when" of network activity.
Capturing and managing that information is the real challenge for
organizations, especially smaller organizations with limited IT
resources, as even a small network could easily produce more than 8
million logs in a single day.
Are there any businesses you are currently working with on
this topic?
Stevens: We help organizations capture, analyze and manage
their logs for a variety of purposes, including regulatory
compliance. In addition to businesses soon to be affected by this
legislation, we've worked with a number of organizations in the
health-care industry and the finance industry, which have been
dealing with similar regulations, respectively the Health Insurance
Portability and Accountability Act (HIPAA) and the Gramm Leach
Bliley Act (GLBA). Even where legislation does not exist,
organizations are interested to increase their ability to track
network activity, to increase their ability to detect security
breaches, to prevent internal attacks and to audit security
systems.