SB 1386: How California Wants to Keep Your Secrets

Jul 01, 2003

Remember when a Social Security Number was supposed to be a top-secret identifier for government use only? Now SSNs are bandied about and companies don't blink before asking you for such personal information. As a result, people have a great deal of valuable personal data that needs to be secured and managed and a new law in California, the Security Breach Notification Act (SB 1386) intends to keep your information safe and sound.

In April of 2002, hackers entered the California state government system and accessed personal information on over 200,000 state employees ranging from the governor to janitors. Worse yet, the government did not notify the employees until weeks after the incident occurred. SB 1386 was developed in response to this and similar breaches that have left hundreds of thousands of people victims of crimes they did not even know about. SB1386 is designed to ensure that Californians know any time their personal information may have been misappropriated. Those companies and agencies that do not comply with SB 1386, leave themselves vulnerable to civil lawsuits by anyone victimized by a security breach.  

Personal information is defined in SB 1386 as an individual's first name or initial and last name in combination with a SSN, a driver's license number, or any account numbers, credit card numbers, or debit card numbers and associated passwords or codes. Personal information does not include any publicly available information.

The law, in effect as of July 1, 2003, applies only to Californians, though Americans around the country may reap benefits. It can be extremely expensive and time consuming for companies to sift through customer lists and pull out only those in a specific geographical region, so if a breach occurs, many companies have elected to notify any customer whose information may have been stolen. "Granted, this will not come cheap," says Arshad Noor, founder and CEO of StrongAuth, Inc. a California-based company that provides solutions for sensitive data management and identity management. "However," Noor continues, "when you factor in that we haven't, fundamentally, changed security architecture--specifically, authentication and authorization--in the last 30 years, then you realize that businesses have been getting a ‘free ride' so far, and it's now time to pay the piper."

When a breach is suspected, companies are required to notify potential victims "in the most expedient time possible and without unreasonable delay," which is not clearly defined in the bill. Notification can be via a written or an electronic notice or via a substitute notice under certain conditions. A substitute notice can be an email, a "conspicuous posting" on the company's Web site, or notification to statewide media. Conditions that allow a substitute notification include a notification cost of over $250,000 or a pool of potential victims of over 500,000. The only time companies are not required to notify individuals is if notification may compromise an investigation or case pending under California's jurisdiction.

Companies are often reticent to acknowledge security breaches as competitors and clients can view it as a sign of weakness. Requiring companies to divulge such information will allow California and the rest of the country to have a better picture of the extent of hacking. "While SB 1386 will create some short-term grumbling, in the long term it will have positive effects for everyone," says Noor. "This is because it forces businesses to acknowledge that they need to make some fundamental changes in their infrastructure and operations to exercise better control of employee and customer data."

Not just businesses are affected by SB 1386, however; universities are learning that they too must comply with the new law. In response to SB 1386, The University of California has issued an amendment to the UC Business & Finance Bulletin IS-3 "Electronic Information Security." The amended portion includes details from SB 1386 and allows for individual campuses to broaden the definition of "personal information." It also requires campuses to establish Implementation Plans for Security Breach Notification. Plans must include a designation of authority, data inventory, an incident response process, local notification procedures, and reporting requirements. "This law has given us an opportunity to re-enforce the importance that departmental system administrators review their security strategies as well as their data collection and retention strategies to reduce vulnerability," says Jacqueline Craig, IT Policy Coordinator for the University of California, Berkeley.

"SB 1386 is the first wake-up call; ignoring it, or not taking it seriously, will only make the alarm more strident," according to Noor. "Businesses have the choice of fixing the fundamental issues and staving off further regulation, or as may be more typical, apply another ‘band-aid' to the problem and carry on until the next fiasco."

For anyone worried that their identity or personal data has been stolen, California's Office of the Attorney General has put together a collection of tips and strategies. While tailored to Californians, it is a valuable resource for anyone whose personal information may have been stolen. It is available on their Web site at: