New California law demands that security become a legal issue

Every year, organizations incur financial losses, suffer PR nightmares, and endure lawsuits from the theft or misuse of their proprietary information. To prevent these unwanted occurrences from happening, CIOs must implement solid security plans to safeguard vital data. Now, CIOs need to take even more into account when developing their security plans.

New legislative and regulatory changes will soon significantly change business and security environments for both public and private companies. A good example of such a change is a new California law that will greatly affect security planning in the state, and may also have ramifications for businesses outside the state. Here’s more on this new law and how it will change your outlook on corporate security.

Customer notification law
California recently set global precedent by enacting a new law expected to go into effect July 1, 2003 that will require notification to your customers of a security breach regarding personal information. California Bill Number SB 1386 requires that any “person or business that conducts business in California [and] that owns or licenses computerized data that includes personal information…disclose…any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Marc J. Zwillinger, an attorney with Sonnenschein, Nath & Rosenthal, says, “To some extent, California is in fact regulating the way businesses operate throughout the United States. There is no other state with as comprehensive a mandatory reporting statute. Because businesses don't store customer information on different servers depending on where the customers live, and because many corporations do business in California, the statute will now be of significant concern when a penetration or unauthorized access occurs. Rather than allow California to dictate a national standard, this is a discussion that really needs to be held on a national level.”

A technical issue becomes a legal one
This law not only significantly affects your corporate liability, but it also requires the IT department to provide increasing due diligence to its security practices and policies.

There are several factors to consider when determining a company’s liability for customer information. First, CIOs must now view security as a legal issue just as much as a technological one. Second, organizations must acknowledge that corporate information security is a job that’s done best when it’s built into every step of a new project and not imposed upon it afterwards. Third, CIOs need to ensure clear responsibility at all levels of the IT department for implementing and maintaining new technologies, including new releases, updates, and upgrades. Finally, CIOs need to determine where the responsibility lies for integrating new or upgraded systems in which the customer's information is stored.

How do we minimize the liability risk factors?
When your information system’s safeguards fail, are you ready for the potential legal battles ahead? Even if an attack only lasts a few minutes, the potential legal battles and reporting costs could last for months. This does not take into account the loss of confidence the company can suffer with the public and its customers. All across the country, judges are assigning dollar amounts to hacker security breaches. How will this be done when security breaches like Code Red are released from your network? The following are some suggestions for actions you can take now:

 • Document, implement, maintain, and test your security policy.
 • Require regular security audits, not only internally, but with other companies/partners to which you may be connected.
 • Ensure that all contracts emphasize security and that the requirements are clearly stated.
 • Seek legal advice for regulations you are not clear about.
 • Consider checking into liability or security risk insurance.
 • Watch not only your specific industry news, but also general regulations that affect commerce globally.

Keep pace with the global economy
In just a short period of time, the economy has changed from one that is local and national to one that is borderless, requiring us to provide more due diligence as a court of law enters the picture and redefines liability. Also, because the global economy relies so heavily on the Internet, CIOs will be under increasing pressure to develop better security policies that protect the business data their systems capture from customers and vendors. Security is no longer just an IT concern, but rather a business decision that your company must consider in everything it does. The tasks of writing and modifying your security polices now require a legal twist in order to ensure their proper compliance.

TechRepublic originally published this article on April 28, 2003