CALIFORNIA’S NEW RULES OF DISCLOSURE

A California law that takes effect July 1 will force companies inside and outside the state to disclose embarrassing information-security breaches.

A California law that takes effect July 1 will force companies inside and outside the state to do what they historically have been loath to do: disclose embarrassing information security breaches.

If companies believe that their California customers' personally identifiable financial information may have been accessed by an unauthorized party, they must inform those customers of the breach. Disclosure may be delayed if law-enforcement officials deem the disclosure could jeopardize an investigation.

Of 376 organizations polled for the 2003 Computer Security Institute/FBI Computer Crime and Security Survey, each experiencing a breach in the past year, half say they kept the incidents quiet. Thirty percent of those surveyed reported the breach to law enforcement, while 21 percent sought legal counsel. A majority of organizations say negative publicity was the reason for not disclosing security breaches to law enforcement.

Now organizations that do business with Californians won't have a choice -- and the same may soon be true for companies that don't. A federal law similar to California's is in the works: Sen. Dianne Feinstein, D-Calif., is readying a federal bill based largely on the California law.

Security experts say most companies, especially those outside the already heavily regulated health-care and financial industries, have done little to prepare for the new law. "Companies underestimate the impact of the law," says Ryan McGee, director of product marketing for Internet security company Network Associates Inc.'s McAfee division. He says his company has received few inquires from customers about how to comply. "It will take lawsuits and serious damages before many businesses become concerned about it," McGee says.

The law, which passed last year, is only now grabbing the attention of companies outside California. "We found out that it applies to us a few weeks ago," says a security specialist at a Northeast consumer-goods manufacturer. "We're looking at how we can better encrypt customer information and possibly segment customer names from their financial information so a hacker would have to breach two databases."

That's a good start. "If data is encrypted at the time of the breach, you should be OK," says Nick Akerman, partner at law firm Dorsey & Whitney LLP. But some warn that encryption alone isn't a security panacea. "The problem with encryption is that data isn't always encrypted during its life cycle, and we hear stories all the time of hackers breaking passwords," says Mark Rasch, former head of cybercrime at the Department of Justice and chief security counsel at security provider Solutionary Inc.

Beyond requiring that data be encrypted and that disclosure of a breach be timely, the law provides little guidance as to what technically constitutes a breach that would require disclosure, what level of encryption companies should deploy, and how soon after a breach a disclosure would be considered timely under the law. "A lot of these laws have holes you could drive a truck through," says John Pescatore, a VP at IT advisory firm Gartner.

Still, companies that are already on top of their security efforts shouldn't see much change. "Now is the time to review policies on protecting and accessing nonpublic customer data," says Gene Fredriksen, VP of information security at Raymond James & Associates. "It's just good business."