California's data breach law has forced organizations to take data security seriously and given consumers the tools to protect themselves against fraud, according to one of the architects of the legislation.
The law--known as SB 1386--obliges Californian state agencies or businesses to disclose data security breaches to residents if their unencrypted personal information may have been compromised.
The introduction of the data breach legislation in California has been followed by similar moves from other U.S. states, and in the U.K. momentum is building for the introduction of a similar law.
Earlier this month, an influential House of Lords committee said the introduction of a data breach law in the United Kingdom would be one of the most important advances it could make to improve Internet security, and ZDNet Asia sister site Silicon.com recently launched its Full Disclosure campaign, calling for a rethink of U.K. law in this area to improve the reporting of data breaches.
Californian State Senator Joe Simitian, co-author of the Californian data breach law, said it gives consumers the power to protect themselves.
He told Silicon.com: "The fundamental thinking behind the bill was if people didn't know they were at risk they wouldn't be in a position to protect themselves. What you don't know can hurt you and ignorance is not bliss. The first step in being able to protect yourself is knowing that you are at risk.
"The legislation is about giving consumers the knowledge they need to protect themselves."
The legislation has also forced companies to improve the security of their customer data. Simitian added: "Once folks know they are required to disclose the breaches they get more serious about security precautions."
And he said because most databases don't have California-only information, if an organization has to notify Californian customers it is hard for them to leave customers in the other 49 states in the dark. "It has become effectively a national data breach [law] because most of the databases are not limited to California," he said.
Under the Californian law only leaks of certain personal information require an organization to notify its customers. This personal information is defined by the legislation as an individual's name in combination with other specific pieces of information, when either the name or the other information is not encrypted.
These other elements include social security numbers, driver's licence numbers, or account numbers or credit/debit card numbers in combination with any required security code or password that would permit access to an individual's financial account.
Under the legislation companies can delay notifying customers if a law enforcement agency thinks that it would impede a criminal investigation. The disclosure should be made in the "most expedient time possible and without unreasonable delay".
The notice given to customers can be written or electronic. If notification would cost more than US$250,000--or if more than 500,000 people are affected--e-mail and/or notices on the organization's Web site, as well as notification to major state-wide media, could be used instead of postal notification.
The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.
She told silicon.com: "I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security."
Mulligan said her research had shown that security breaches drive information exchange among security professionals--for example, some chief security officers summarized news reports from breaches at other organizations and circulated them to staff with 'lessons learned' from each incident.
She said: "The goal of the law was to improve security practises, not provide notices. Research and anecdote both suggest that it has improved practises along many dimensions. As practises improve, notices should decrease."
Some organizations have a 'that could have been us' moment and patch systems with similar vulnerabilities to the organization that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, she added.
Steve Ranger of Silicon.com reported from London.
Play video
There are currently no comments for this post.