Most corporations are going to take the path of least exposure, i.e., letters mailed to affected customers. Interestingly, there is no language in this law governing what the notification has to say, and whether or not it has to be easily understood by the customer. Even more compelling, this law applies worldwide, to any company doing business in the state, regardless of what they sell and whether or not they know that such a law exists.
As Marc Zwillinger, chair of the Information Security and Anti-Piracy practice group at Sonnenschein Nath & Rosenthal in Washington D.C. states, "Most corporations do not routinely segregate data related to California residents from other customer or employee data, this [law] may have a significant effect on how companies across the U.S. handle IT issues."
Important to Understand
The events that trigger this law are best summed up in an excerpt that reads: '...acquisition of computerized data in non-encrypted form by an unauthorized person…' Since the law does not specify information that was acquired due to unauthorized conduct, the law doesn't necessarily require a company to disclose every act of employee misconduct.
"Data" in this case is defined as the first name, last name, and any combination of the following: Social Security Number, driver's license number, account number, debit or credit card information. The caveat being that the data acquired has to be non-encrypted. Should a security breach occur to a database housing encrypted customer data, the law does not apply.
From a Technical Perspective
It isn't possible to prepare for every security breach, but comprehensive response plans must be in place. Nationwide, the Federal Trade Commission (FTC) is aggressively cracking down on corporations; enforcing the edict that requires IT to maintain sufficient security and response programs to protect their customer data.
"Preventative measures are important, but do not constitute compliance." affirms John Patzakis, President and CEO of Guidance Software, "Administrators will need to have a forensic plan in place to detect these incidents, especially internal incidents and fraudulent acquisition of customer data. Computer forensics determine what and when specific data was compromised."
Suggestions for Getting Ready