Data breach laws 'make companies serious about security'

California's data breach law has forced organisations to take data security seriously - and has given consumers the tools to protect themselves against fraud, according to one of the architects of the legislation.

The law - known as SB 1386 - obliges Californian state agencies or businesses to disclose data security breaches to residents if their unencrypted personal information may have been compromised.

The introduction of the data breach legislation in California has been followed by similar moves from other US states and in the UK momentum is building for the introduction of a similar law.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below, emailing us at editorial@silicon.com or signing the 10 Downing Street e-petition.

Earlier this month an influential House of Lords committee said the introduction of a data breach law in the UK would be one of the most important advances the UK could make to improve internet security, and silicon.com recently launched its Full Disclosure campaign, calling for a rethink of UK law in this area to improve the reporting of data breaches (see box).

Californian state senator Joe Simitian, co-author of the Californian data breach law, said it gives consumers the power to protect themselves.

He told silicon.com: "The fundamental thinking behind the bill was if people didn't know they were at risk they wouldn't be in a position to protect themselves. What you don't know can hurt you and ignorance is not bliss. The first step in being able to protect yourself is knowing that you are at risk.

"The legislation is about giving consumers the knowledge they need to protect themselves."

The legislation has also forced companies to improve the security of their customer data. Simitian added: "Once folks know they are required to disclose the breaches they get more serious about security precautions."

And he said because most databases don't have California-only information, if an organisation has to notify Californian customers it is hard for them to leave customers in the other 49 states in the dark. "It has become effectively a national data breach [law] because most of the databases are not limited to California," he said.

Under the Californian law only leaks of certain personal information require an organisation to notify its customers. This personal information is defined by the legislation as an individual's name in combination with other specific pieces of information, when either the name or the other information is not encrypted.

These other elements include social security numbers, driver's licence numbers, or account numbers or credit/debit card numbers in combination with any required security code or password that would permit access to an individual's financial account.

Under the legislation companies can delay notifying customers if a law enforcement agency thinks that it would impede a criminal investigation. The disclosure should be made in the "most expedient time possible and without unreasonable delay".

The notice given to customers can be written or electronic. If notification would cost more than $250,000 - or if more than 500,000 people are affected - email and/or notices on the organisation's website, as well as notification to major state-wide media, could be used instead of postal notification.

The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.

She told silicon.com: "I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security."

Mulligan said her research had shown that security breaches drive information exchange among security professionals - for example some chief security officers summarised news reports from breaches at other organisations and circulated them to staff with 'lessons learned' from each incident.

She said: "The goal of the law was to improve security practices, not provide notices. Research and anecdote both suggest that it has improved practices along many dimensions. As practices improve, notices should decrease."

Some organisations have a 'that could have been us' moment and patch systems with similar vulnerabilities to the organisation that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, she added.

silicon.com's Full Disclosure campaign is about giving the public confidence that when they entrust their personal information to an organisation it will act as a responsible guardian of that data. Reinforcing that trust will encourage more people to interact online, providing an important boost to the online economy. Sign the e-petition and make your voice heard by government.