For the first time, government regulations will require organizations to be open about security breaches, which traditionally have gotten swept under the rug--or addressed without much fanfare.
California civil code 1798.82, which goes into effect Tuesday, requires any business or person who "maintains computerized data that includes personal information that the person or business does not own...(to) notify the owner or licensee of the information of any breach of the security."
It also wields an enforcement stick: Any company doing business in California that fails to provide the notice required by law opens itself to a damage suite by any customer injured. That includes the possibility of class-action lawsuits and injunctive relief. In layman's terms: Companies must alert customers if information that can be used to perpetrate identity theft--people's social security, driver's license and credit card numbers--is stolen or compromised. Otherwise, they can get sued for staggering amounts of money.
The statute provides a powerful incentive for companies to protect a narrow segment of valuable computer data maintained on electronic networks. Batten down the hatches, because California 1798.82 is just the tip of the iceberg for computing companies--in fact, all industries that store and use electronic data.
Just recently, Sen. Diane Feinstein sponsored a bill in Congress to make this California statute into national law. Both litigation over the theft of intellectual property and the enforcement of privacy violations are also picking up speed. The Federal Trade Commission is investigating a May security flaw in Microsoft's Passport service that put more than just its 200 million customers' accounts at risk of being hijacked. That could lead to hefty fines. And in June, Lockheed Martin filed suit against Boeing, accusing its rival of illegally obtaining and using tens of thousands of pages of proprietary Lockheed documents to win a large rocket contract with the U.S. government.
Baby steps or a brisk run?
Individually, each of these situations has significant impact, but when I step back and look at tall three trends, I see enormous daily risks facing companies that use electronic technologies. Companies face two choices: They can apply a Band-Aid for compliance with specific statutes, or be savvy and employ the broad protection and auditing measures needed to avoid an onslaught of coming regulations and litigation. And at the same time, companies will be able to protect their data from theft by competitors.
Just recently, Sen. Diane Feinstein sponsored a bill in Congress to make this California statute into national law.
Today a company's crown jewels--marketing plans and strategies, financial information, customer information, employee HR records, acquisition strategies, product plans, manufacturing processes--are all maintained in computer data. Studies show that more than 90 percent of information created today by businesses is maintained in electronic formats, making it easier for a company's critical intellectual property to leak out of an organization. Nowhere is this more true than the technology industry, where operations are virtually entirely electronic and rely on the use of a plethora of technologies that make it easy for data to leak, particularly with the Internet and new data integration initiatives.
Companies need to step up to the plate and finally protect individual pieces of data--and track how that data is used and by whom. This is important not only to meet the dictates of the new California statute on personal information but also to protect a company's intellectual property. It is important for a company to be able to prove who stole its data and how it was stolen; otherwise there is no way a company can enforce its rights in court to retrieve stolen computer data and keep competitors from using or distributing its data.
Unfortunately, the computer security systems that companies have already bought--firewalls and intrusion detection--are not enough to comply with the new California statute or to protect data from theft by a competitor. They merely log activity in a small slice of the path of confidential data as it travels inside, outside and between today's companies--and do nothing to provide the encryption needed to comply.
The statute provides a powerful incentive for companies to protect a narrow segment of valuable computer data maintained on electronic networks.
Make no mistake: As of July 1, companies will have to impose closer control over their data. But California 1798.82 is just the tip of the iceberg if companies don't take that brisk run beyond mere compliance and toward preventive measures.