Want CNET to notify you of price drops and the latest stories?

Law aims to reduce identity theft

A new California law requires companies to notify consumers of security breaches that may have compromised personal information. E-commerce sites are worried but security companies are thrilled.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
A California law that requires e-commerce companies to warn consumers when their personal information may have been stolen could provide a boost for security firms.

The Security Breach Information Act (S.B. 1386), which goes into effect Tuesday, requires companies that do business in California or that have customers in the state to notify consumers whenever their personal information may have been compromised.

Companies that fail to properly lock down information or to notify consumers of intrusions could be sued in civil court.

"Organizations that are following near-best practices for data security should be OK," said Ray Wagner, research director for information security strategies at Gartner. "However, you could read (the law) very conservatively: If you don't encrypt data...and maintain good audit trails, you open yourself up to lawsuits."

The law attempts to stem the growing problem of identity theft, in part by encouraging companies to be more open about security breaches that may have compromised consumer data.

Last year, the number of U.S. consumers that complained about some sort of identity theft nearly doubled to 162,000, according to the Federal Trade Commission (FTC).

The most common manifestation of the problem was credit-card fraud, which accounted for 42 percent of the complaints, according to the FTC. Another 22 percent of consumers complained of unauthorized telephone or utility services obtained fraudulently using their personal information. Other major types of identity theft included using the victim's information to obtain a job or to apply for government services.

Moreover, a report by the U.S. General Accounting Office noted that convictions don't result in harsh sentences. A criminal prosecuted under Pennsylvania's identity theft statute would have to steal more than $100,000 to get a minimum one-year prison term. A felony drug conviction for 2 grams of heroin or cocaine--worth about $200, according to the report--would result in the same minimum.

The California law, signed by the governor last September, defines personal information as a last name paired with a first name or first initial and one of the following: a social security number, a driver's license or California Identification Card number, or a number from a bank account, credit card or debit card, along with a password or security code that would give access to the account.

Any company or individual that collects such data has to notify a California customer when that person's information may have been "acquired by an unauthorized person." A company that does business in California must notify any customer of such unauthorized access. Failing to notify consumers can result in the company being sued in civil court.

Renewed focus on data
Security flaws, like those that occurred at FTD.com and to Microsoft's Passport service, could trigger notification under the law.

Online auctioneer eBay won't have to change its business practices to comply with the law, said spokesman Kevin Purseglove.

"We feel the steps that we have historically always taken with regards to notifying users about the possibility of any breach will essentially be the same steps that we follow under this new law," he said.

Despite such sentiments, security firms that deal with encryption or securing data have had a significant jump in inquires from companies that believe they could be affected by the law.

"It's dramatic," said Jim Schoonmaker, CEO of Liquid Machines, which sells software to ensure that data stays encrypted. "They are coming from all over the United States. Any large enterprise has customers in California, and more importantly, they are looking at this as a harbinger of what is to come."

The California law exempts personal information that a company has stored in an encrypted format, and thus encrypting data may be the easiest way to comply, said Nick Akerman, an attorney with New York law firm Dorsey & Whitney.

"If someone brought a lawsuit, the company would have to show that they had the data encrypted," he said. "The law doesn't apply to encrypted data. It's basically saying to companies that if you encrypt the data, you don't have to give notice."

Guaranteeing the data is encrypted all the time may not be feasible for every company, so other security companies are focusing on strengthening the locks.

Application security firm Sanctum secures the way people access data through the Web and other avenues. Such application firewalls check to make sure that the access to data is legitimate and not part of some attack.

"While encryption is a necessary part of this, it is not sufficient," said Peggy Weigle, Sanctum's CEO. "There are multiple weak points on the Internet chain."

As the deadline for the law has neared, Sanctum has received numerous inquiries, Weigle said.

In conjunction with other legislation that makes companies accountable for the security and integrity of the data they hold, such as the Health Insurance Portability and Accountability Act or HIPAA and Graham-Leach-Bliley, the Security Breach Information Act likely signals that more laws to protect consumers will be on the way.

For example, U.S. Sen. Dianne Feinstein, D-Calif., introduced federal legislation last week modeled on the California law.

"I strongly believe individuals have a right to be notified when their most sensitive information is compromised--because it is truly their information," Feinstein said in a statement. "This is both a matter of principle and a practical measure to curb identity theft."