The Security Breach Information Act (S.B. 1386), which goes into effect Tuesday, requires companies that do business in California or that have customers in the state to notify consumers whenever their personal information may have been compromised.

Companies that fail to properly lock down information or to notify consumers of intrusions could be sued in civil court.

"Organizations that are following near-best practices for data security should be OK," said Ray Wagner, research director for information security strategies at Gartner. "However, you could read (the law) very conservatively: If you don't encrypt data...and maintain good audit trails, you open yourself up to lawsuits."

The law attempts to stem the growing problem of identity theft, in part by encouraging companies to be more open about security breaches that may have compromised consumer data.

[ Read more ]

Related items

• News: Taking the offensive on identity theft (29 May 2003)
• News: Try to protect yourself from identity theft (22 May 2003)
• News: Credit card scam raises awareness of identity theft (15 May 2003)
• News: Backup is key to identity theft protection (7 May 2003)
• News: Ex-con man advises on identity theft (25 April 2003)
• News: Identity theft problems in Australia (28 February 2003)
• News: Identity-theft complaints almost double in 2002 (23 January 2003)