California Privacy Law: Goodbye Good Intentions

New law mandates information theft disclosure no matter what

Any company that takes “reasonable” actions to protect its data—measured against, say, established best practices or the standards of industry peers—is doing the right thing, right? Wrong, at least according to a new California law (S.B. 1386). It says that no matter the intention, if someone gets unauthorized access to a database containing personally identifying information at a government agency, company, or non-profit, California residents must be notified immediately or the company may be liable. Personal data includes names, Social Security numbers, driver's license and credit card numbers, and passwords.

Senator Diane Feinstein of California recently introduced similar, federal legislation (S.1350).

To assess the effects of the California law, what it now requires of companies doing business in that state, and the role of outsourcing, Security Strategies spoke with Mark Rasch, senior vice president and chief security counsel for managed security services provider Solutionary Inc. Rasch also founded and led the computer crime unit for the United States Department of Justice for 10 years and prosecuted key cases involving computer crime, hacking, fraud, and viruses.

Is this a paradigm shift for security professionals?

IT professionals and security professional understand putting adequate resources into security to achieve a "reasonable" level of security. While there's no overarching standard of reasonableness, we know when we're doing something unreasonable, we know when we should be doing more. There are basic standards, federal standards, international standards, standards-setting organizations … So the IT professionals and the security professionals have a pretty good handle on what needs to be done, particularly at the larger institutions.

[Smaller organizations, however], might not have a full-time security staff. The problem as a consumer is your data—the data that can be used to commit fraud—isn't only located at the large institutions. And once that data is compromised, you’re open to identity theft. And they don't need a lot to do this. Plus, you might give the information to someone you trust, who gives it to someone else—such as a credit agency checking on a bank mortgage application. Then you get the mortgage, and they [give your information] to someone else.

What’s the corporate mandate, given recent laws such as the California identity theft law?

Basically, we have to apply adequate protection to personally identifying information throughout its entire lifecycle, no matter who touches it, where it resides, and no matter who it's transferred to. But we also need accurate, timely, and available information. Those are the main goals of information security. Enter the state of California.

How did the law come about?

It entered its life as a completely different law. There was legislation requiring the state of California to have its own privacy officer. Well, it turned out that about a year ago, there was a major break-in to the electronic data center that contained all the personally identifying information about California state employees. So … it's very rare to see legislation that requires notification by a state agency. That was a unique part of this bill, because normally they say "any company doing business in California must …"

So this was personal?

The big push for this bill was, someone broke into the data center, and got all these names, numbers, addresses, and then they started applying for credit cards in other people's names. Now if only the people knew immediately that their personal data could have been compromised, then they could have taken remedial actions.

What does the law require?

The California law is a strict liability statute. [So] you can have the best security on your Web site, but even if you're iron clad, if the stuff gets out, despite your best intentions, you have a responsibility to report that. It makes sense, because if your data was compromised, you don't care—as a consumer [you want to know].

How do companies know the difference between an intrusion and having information stolen?

There's a fallacy that underlies the whole thing, and that's that there’s a genuine ability by companies to know that information has been stolen. Because at best we can know that a network has been penetrated. So the analogy I use is you see muddy footprints in your den. Do you therefore assume that the books on your shelves have been read, or the files in the filing cabinet, when it's entirely possible that all the guy needed was a pen. And a better analogy is in an office—you see something was disturbed in your office or someone wasn’t supposed to be there. What assumptions do you make?

What can businesses do to prevent getting in trouble?

As a general rule, what you want to do to avoid reporting under the California law is not just be reasonable, you want to prevent the attacks in the first place. Since the majority of the attacks are coming in through known vulnerabilities, you want to be aware of the attacks on your networks. That's what Solutionary does, this intrusion prevention. While someone might be able to get into your network, you want to lock them out. Then [we do] intrusion detection as well, real time, remedial notification.

What if no one has seen the kind of attack used before; how do you know you’re being attacked?

The answer is very simple—the [law] only mandates that you know what you know. Some people have taken the ostrich approach. That won't work. Because while it may, for a short period of time, help you with the reporting, it doesn't help you with the liability.

What counts as “the company”?

A company is deemed to know anything that its employees know about during the scope of their employment. So let's say an employee sees a network penetration during a routine sweep, and kicks the guy out. Problem solved, right? Except he never told the security people. But is there an obligation to tell the security people? [Under the law] the company knows, and the company has liability, so making sure that information about vulnerabilities and attacks escalates to the right people is crucial.

So more people need to be involved?

[As an outsourcer] we try to make the process more inclusive. Who should be involved? Because the problem you have under California law [is] a company not knowing. When someone breaks in, it's now no longer a technical problem. Someone can go to jail.

For more information about Solutionary, visit: http://www.solutionary.com/.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.