Gearing Up For July 1, 2003 - Senate Bill 1386 - How Does It Affect You?
by Melisa LaBancz - IT Journalist - Friday, 30 May 2003.
What can you do? Since the law is in its infancy, there are no existing industry best practices. There are however, recommendations on what can be done. IDN supports the following:
  • Identify key systems containing personal information and activate/enhance logging capabilities on such systems
  • Consider encrypting all stored customer data. Determine whether the cost to the company is worth the time and effort of IT to employ total database encryption practices. If needed during a lawsuit, IT will have to prove the data was encrypted at the time of the security breach.
  • Deploy new technology designed to provide forensic detail about network conduct (see: guidancesoftware.com) and data-flow pattern anomalies (see: www.lancope.com) Timely and accurate answers to data acquisition will be critical.
  • If you don't already have one in place, create a comprehensive Incident Response Plan that details how IT will handle security breaches and other catastrophic incidents on the corporate network. Make sure that this plan includes a detailed notification procedure on how the company will address affected customers should IT detect a security breach. The law provides for more flexibility if an existing IT policy is in place for responding to incidents and notifying customers.
  • Include a provision in your IT response plan that addresses a period of investigation, and response to the security incident prior to notifying the customers. This will allow reasonable time to address the security breach and restore the integrity of the system before any mandatory notification begins.
  • Review all existing third-party contracts involving the transfer of sensitive personal data to ensure that they contain provisions for notification, investigation, and the right to participate in or control reporting of incidents involving customer data. This is especially important if IT has outsourced data storage and has no visibility into the storage network's compliance policies.
By proactively addressing threats to the infrastructure and employing a detailed incident response plan, IT Departments worldwide can provide added levels of assurance and compliance when July 1 comes around.



Disclaimer: This article is not intended to take the place of informed legal advice and/or counsel. The facts and suggestions contained herein are for informational purposes only and should be expanded upon by trusted legal sources. Should your company need specific advice and/or assistance in preparing a security response plan that is compliant with current laws and regulations, or have further questions regarding SB1386 it is recommended that you seek professional counsel.

Spotlight

(IN)SECURE Magazine issue 43 released!

Posted on 16 September 2014.  |  (IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. This issue covers web application security, mobile hacking, certification, Black Hat, and much more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Sep 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //