New Privacy Regulation to Take Effect July 1

Law requires organizations to detect, disclose unauthorized access of personal information

By Karen E. Spaeder

Opinions expressed by Entrepreneur contributors are their own.

With the deadline quickly approaching when a new privacyregulation takes effect in California, businesses-both inCalifornia and elsewhere-need to take steps now to get intocompliance. The new law, which takes effect July 1, requires anyorganization electronically storing personal information onCalifornia residents to disclose any unauthorized access of thatinformation. Passed in November, California Senate Bill 1386extends beyond California's borders by including anyorganization with information on California residents, regardlessof its physical location. Organizations that fail to comply couldface civil suits and fines. As such, we've spoken with MattStevens, vice president of marketing and technology at NetworkIntelligence Corp.-one company working to help firms with thisnew challenge--for some practical advice about complying with thelaw.

What are businesses required to do as a result of this newlaw?
Matt Stevens:
The law requires businesses to detect anddisclose any unauthorized access of personal data stored on theirnetworks. Unauthorized access doesn't just apply to the hackerbreaking in from the outside and stealing credit card numbers. Italso applies to the janitor who logs on to an idle computer and tothe nosy employee who pokes around the customer database withoutauthorization.

Why should California businesses be concerned about theCalifornia hacker disclosure law? What kinds of businesses areaffected?
The law applies to any organization--business,nonprofit, government entity-electronically storing personal dataon California residents. Personal data is specifically defined inthe legislation, but it generally refers to the combination of aperson's name with another identifying item, such as a SocialSecurity number, driver's license number, credit card number orbank account. So any organization that possesses this information,from a church that keeps member donations in a database for taxpurposes to a bookstore selling its goods online to a largesupermarket with a customer rewards program, will be affected.

Most organizations have taken the security message to heart andinstalled security measures to protect their electronic data.However, many of them have taken the "Maginot line"approach, meaning they've approached security as a battlebetween the bad guys on the outside and the good guys on theinside. Their security measures are designed specifically to keepthe bad guys out. They have no mechanism to defend the data once abad guy gets in or when someone on the inside turns out not to be agood guy. This law tells companies they can't just put a lockon the front door; they must secure the data itself. That is a fargreater challenge and a hard sell to businesses that thought theywere through with security when they bought a firewall.

Does this law affect businesses outside California?
The law is designed to protect California residentsfrom identity theft, so its reach applies to the citizen, not theorganization. That means that any organization, anywhere in thecountry, can be held liable under this law if they electronicallystore information on California residents. [The law applies to]businesses with California customers and organizations withCalifornia members, regardless of their physical location.Additionally, legislation similar to the California law has beenproposed in the U.S. Congress, which would make this issue relevantto every U.S. organization storing personal dataelectronically.

What can small businesses do to facilitate compliance withthe law? Stevens: This law compels organizations not only tosecure their networks against breaches, but also to activelymonitor activity and detect any unauthorized access. In the eventan organization is sued by an individual for violation of the law,that organization would essentially be required to prove anegative-that no unauthorized access had occurred. To achievecompliance with the law, an organization must diligently report andrecord network activity and store that information should it becomenecessary to produce it as evidence.

Much of the necessary information for compliance already existsin the form of logs-electronic records of the "who,""what" and "when" of network activity.Capturing and managing that information is the real challenge fororganizations, especially smaller organizations with limited ITresources, as even a small network could easily produce more than 8million logs in a single day.

Are there any businesses you are currently working with onthis topic?
We help organizations capture, analyze and managetheir logs for a variety of purposes, including regulatorycompliance. In addition to businesses soon to be affected by thislegislation, we've worked with a number of organizations in thehealth-care industry and the finance industry, which have beendealing with similar regulations, respectively the Health InsurancePortability and Accountability Act (HIPAA) and the Gramm LeachBliley Act (GLBA). Even where legislation does not exist,organizations are interested to increase their ability to tracknetwork activity, to increase their ability to detect securitybreaches, to prevent internal attacks and to audit securitysystems.

Karen E. Spaeder

Karen E. Spaeder is a freelance business writer in Southern California.

Editor's Pick

Everyone Wants to Get Close to Their Favorite Artist. Here's the Technology Making It a Reality — But Better.
The Highest-Paid, Highest-Profile People in Every Field Know This Communication Strategy
After Early Rejection From Publishers, This Author Self-Published Her Book and Sold More Than 500,000 Copies. Here's How She Did It.
Having Trouble Speaking Up in Meetings? Try This Strategy.
He Names Brands for Amazon, Meta and Forever 21, and Says This Is the Big Blank Space in the Naming Game
Thought Leaders

The Collapse of Credit Suisse: A Cautionary Tale of Resistance to Hybrid Work

This cautionary tale serves as a reminder for business leaders to adapt to the changing world of work and prioritize their workforce's needs and preferences.

Business News

These Are the Most and Least Affordable Places to Retire in The U.S.

The Northeast and West Coast are the least affordable, while areas in the Mountain State region tend to be ideal for retirees on a budget.

Business News

I'm a Former Google Recruiter. Here's How to Land a Job in Tech — and What Can Blow Your Interview

A former Google recruiter says layoffs may be trendy, but tech workers are always needed. Here's how to land a job at a major tech company.

Growing a Business

The No.1 Most Bankable Skill You Must Have to Succeed in 2023

If you don't foster this skill, you'll fall behind the pack financially and professionally in 2023.

Business News

The 'Airbnbust' Proves the Wild West Days of Online Vacation Rentals Are Over

Airbnb recently reported that 2022 was its first profitable year ever. But the deluge of new listings foreshadowed an inevitable correction.

Starting a Business

5 Ways Entrepreneurship Can Help Teenagers Overcome Negative Peer Pressure

Here are some of the positives teenage entrepreneurship can have concerning peer pressure.