The public disclosure of security breaches is among the most embarrassing and career-threatening events that can take place on an IT managers watch.
Nonetheless, we believe that companies and government agencies ought to make public information about lapses in security, not only for the sake of their partners but also for the customers who entrust them with their personal data.
In California, the SB 1386 law regulates the maintenance and dissemination of personal information by state agencies and businesses, forcing agencies and companies to publicly notify potential victims of security breaches.
Recently, a database security failure at the University of California at Berkeley exposed the Social Security numbers and addresses of nearly 600,000 people. Although the case is still under investigation and there currently is no proof that the data was stolen, UC Berkeley officials, exceeding the letter of the law, told people whose personal information was in the compromised database that their information had been exposed and that they could become victims of identity theft.
While California SB 1386 has made news, it is for the most part nothing more than a notification law, lacking the teeth needed to punish offenders. Under SB 1386, there are no penalties for companies that expose private data, besides public humiliation. We believe real punishments should be implemented for repeat offenders to ensure companies and agencies are held accountable when data is exposed on their watch.
Another key limitation for California SB 1386 is that it covers only a few pieces of data when associated with a citizens name: Social Security numbers, drivers license numbers, account numbers, ID numbers and passwords. We believe future laws should protect information such as e-mail addresses as well. California has followed SB 1386 with the more proactive AB 1950 bill, signed into law in September, which calls for businesses and other entities that store private data on California residents to “implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access.”
SB 1386 and AB 1950 exempt parties that encrypt data, but the laws could leave loopholes: There is no provision as to the strength of the encryption nor is there any stipulation as to the care with which encryption keys must be handled. Much depends on the interpretation of “reasonable security procedures.”
Even so, the passage of more laws like SB 1386 should give IT the power to justify budget requests to buy encryption technologies to protect private data. In addition, we strongly encourage IT to continue investing in perimeter security devices and patch management.
Integrity is crucial to business and government activities. To engender integrity, we believe laws patterned after SB 1386 and AB 1950 should be adopted by more states as well as the U.S. government.
Were interested in your Opinion. Send your comments to [email protected].