California SB 1386 was one of the first and certainly the most visible state law dealing with breaches of security that cause private information to be disclosed. The law requires an agency, person, or business that conducts business in California and owns or licenses computerized personal information to disclose any breach of security to any resident whose unencrypted data is "believed to have been" disclosed. The law applies not only to companies with direct operations but also those who operate out of state and have California resident data on file.
Included in the law are definitions of what is considered private information, methods of evaluating whether or not information has been unlawfully disclosed, and requirements for notifications of California citizens.
The potential downside impacts for a company suffering a breach or loss of data can be substantial. Costs include potential loss of operating licenses in the State of California and damage to company reputation. In fact, most of the security incidents that have been made public, such as the ChoicePoint incident in February 2005 and the CardSys-tems incident in June 2005, were made public only because SB 1386 and other similar privacy laws required it.
One of the most controversial and costly components of the law is sorting through data retained by a company and identifying California residents who might have been affected by a data breach. For many companies, the solution is to notify everyone affected rather than be selective. In many cases, this approach was pursued because it was less expensive rather than because of true concern for customers.
From a controls perspective, the law forced many companies to become serious about how they managed private information. In many cases, companies had few, if any, useful privacy or security controls focused on protecting customer information. Many organizations adopted security controls built around the ISO 17799 framework and encrypted private information in order to comply.
SB 1386 and other privacy laws forced controls to be established around internal third-party oversight of information security, typically via the adoption of a security officer role. Additional controls include more stringent data classification controls and access controls, both logical and physical. Controls regarding the identification, disclosure, and reporting of data security breaches are required, as are formalized incident-reporting and management controls.
From an operational perspective, additional controls are required to assess the security profile of third parties, as well as what private data might be shared and the additional controls required.
Although U.S. privacy laws, including SB 1386, are becoming more prevalent, some international privacy legislation is more stringent. Two such laws include the European Directive on the Protection of Personal Data and the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA).
In October 1995, the European Union passed the European Directive on the Protection of Personal Data. The directive governs personal information within all member countries of the EU and places minimum protection requirements on it. The directive also prohibits the transmission of information to entities in nonmember states with lesser information privacy protection requirements, including the United States. As with many laws that govern information privacy, the European directive requires entities that collect, transmit, process, or disclose personal information to use appropriate measures to protect such information. Some of the other directive requirements include
Notification of individuals about the purposes for which their information is collected
Opt-out provisions regarding third-party disclosure or use beyond the original purpose
The right of individuals to correct, alter, or delete information pertaining to them that is inaccurate
Confinement of stored information to that which is relevant to the stated purpose
Canada enacted a national privacy law in 2004 commonly referred to as PIPEDA, the Personal Information Protection and Electronic Document Act. It sets forth the following provisions to govern the collection, use, and disclosure of personal information:
Parties engaged in the collection of information must show accountability.
Information collectors must identify the purposes for the collection of personal information.
Information collectors must obtain consent from consumers.
The collection of personal information must be limited.
The use of personal information must be limited.
Disclosure and retention of personal information must be limited.
Information collectors must ensure the accuracy of personal information.
Information collectors must provide adequate security for the protection of personal information.
Information collectors must make information management policies readily available.
Information collectors must provide individuals with access to information about themselves.
Individuals are given the right to challenge an organization'n compliance with these principles.
One of the consequences of the SB 1386 is the adoption of identical or nearly identical versions of the bill by other states within the United States. Keeping up with the multiple varieties of similar laws is a significant task. Additionally, there are many countries that have or are in the process of adopting privacy laws. Some of the countries that have enacted privacy laws include Argentina, Japan, Australia, Canada, and of course, all the EU member states. A number of countries, including the United States, are considering privacy legislation at a national level.