New Privacy Regulation to Take Effect July 1

With the deadline quickly approaching when a new privacyregulation takes effect in California, businesses-both inCalifornia and elsewhere-need to take steps now to get intocompliance. The new law, which takes effect July 1, requires anyorganization electronically storing personal information onCalifornia residents to disclose any unauthorized access of thatinformation. Passed in November, California Senate Bill 1386extends beyond California's borders by including anyorganization with information on California residents, regardlessof its physical location. Organizations that fail to comply couldface civil suits and fines. As such, we've spoken with MattStevens, vice president of marketing and technology at NetworkIntelligence Corp.-one company working to help firms with thisnew challenge--for some practical advice about complying with thelaw.

What are businesses required to do as a result of this newlaw?
Matt Stevens: The law requires businesses to detect anddisclose any unauthorized access of personal data stored on theirnetworks. Unauthorized access doesn't just apply to the hackerbreaking in from the outside and stealing credit card numbers. Italso applies to the janitor who logs on to an idle computer and tothe nosy employee who pokes around the customer database withoutauthorization.

Why should California businesses be concerned about theCalifornia hacker disclosure law? What kinds of businesses areaffected?
Stevens: The law applies to any organization--business,nonprofit, government entity-electronically storing personal dataon California residents. Personal data is specifically defined inthe legislation, but it generally refers to the combination of aperson's name with another identifying item, such as a SocialSecurity number, driver's license number, credit card number orbank account. So any organization that possesses this information,from a church that keeps member donations in a database for taxpurposes to a bookstore selling its goods online to a largesupermarket with a customer rewards program, will be affected.

Most organizations have taken the security message to heart andinstalled security measures to protect their electronic data.However, many of them have taken the "Maginot line"approach, meaning they've approached security as a battlebetween the bad guys on the outside and the good guys on theinside. Their security measures are designed specifically to keepthe bad guys out. They have no mechanism to defend the data once abad guy gets in or when someone on the inside turns out not to be agood guy. This law tells companies they can't just put a lockon the front door; they must secure the data itself. That is a fargreater challenge and a hard sell to businesses that thought theywere through with security when they bought a firewall.

Does this law affect businesses outside California?
Stevens: The law is designed to protect California residentsfrom identity theft, so its reach applies to the citizen, not theorganization. That means that any organization, anywhere in thecountry, can be held liable under this law if they electronicallystore information on California residents. [The law applies to]businesses with California customers and organizations withCalifornia members, regardless of their physical location.Additionally, legislation similar to the California law has beenproposed in the U.S. Congress, which would make this issue relevantto every U.S. organization storing personal dataelectronically.

What can small businesses do to facilitate compliance withthe law? Stevens: This law compels organizations not only tosecure their networks against breaches, but also to activelymonitor activity and detect any unauthorized access. In the eventan organization is sued by an individual for violation of the law,that organization would essentially be required to prove anegative-that no unauthorized access had occurred. To achievecompliance with the law, an organization must diligently report andrecord network activity and store that information should it becomenecessary to produce it as evidence.

Much of the necessary information for compliance already existsin the form of logs-electronic records of the "who,""what" and "when" of network activity.Capturing and managing that information is the real challenge fororganizations, especially smaller organizations with limited ITresources, as even a small network could easily produce more than 8million logs in a single day.

Are there any businesses you are currently working with onthis topic?
Stevens: We help organizations capture, analyze and managetheir logs for a variety of purposes, including regulatorycompliance. In addition to businesses soon to be affected by thislegislation, we've worked with a number of organizations in thehealth-care industry and the finance industry, which have beendealing with similar regulations, respectively the Health InsurancePortability and Accountability Act (HIPAA) and the Gramm LeachBliley Act (GLBA). Even where legislation does not exist,organizations are interested to increase their ability to tracknetwork activity, to increase their ability to detect securitybreaches, to prevent internal attacks and to audit securitysystems.