The California Security Breach Information Act 1798.29 (originally known as SB-1386), states:
“(a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Any company that does business in California and maintains private data on California residents must comply with the statute. In the wake of several high-profile security breaches, other states have followed California’s lead. Now more than 22 states have their own versions of a privacy law, and the United States congress is considering federal legislation. A similar law – the European Union privacy directive - is already in place in Europe.
These laws apply to computerized data consisting of an individual's first name or first initial and last name in combination with Social security number, Driver's license number, Bank account information, credit card numbers, and associated access codes. Typically this data is stored in databases on computer servers, and accessed through PC or web-based clients. The biggest threat to data privacy may occur when data is moved offsite to remote backup locations or other business parties. There have been recent high profile exposures where major banks have reported lost backup tapes containing the account information of hundreds of thousands of customers.
|
