Thank you for sharing!

Your article was successfully shared with the contacts you provided.
California has become the first state to require businesses and state agencies to notify citizens if their personal information is compromised, typically at the hands of computer hackers. The Security Breach Information Act, which took effect on July 1, 2003, is designed to combat identity theft by compelling timely notification to potential victims. The law is as important for what it does as well as for what it means. By requiring disclosure of unauthorized electronic breaches, it forces businesses and state agencies to clean up their information-handling practices while creating an implicit incentive to invest in the security that may prevent computer crime in the first place. A host of recent surveys suggest that corporate America’s interest in security has increased since Sept. 11, 2001, but not to the extent one would expect. In terms of dollars spent, physical security, information security and personnel security remain low business priorities, especially relative to concerns about market share, efficiency and cost. While executives are happy to talk about the need for security, most corporations still regard it as a place to economize. The particularly high number of computer worms ravaging the Internet last month illustrates the problem. The worn known as Blaster targeted computers running Microsoft operating systems. Sobig.F, seemingly innocuous, merged the threat of infection with spam. Both worms paralyzed systems throughout the world. Collectively, they cost corporate America millions of dollars. For hackers, they were an invitation to even more cybermalfeasance. Worms and viruses are the tip of the iceberg. Hackers, some working alone, others as part of organized crime syndicates, steal names, addresses, social security numbers, bank access codes and credit card information with ease. Such crimes are now so commonplace that they rarely command the attention of the media. The anonymous and dispersed nature of the Internet makes investigation a challenge and gives cyberthieves a sense of impunity. This says nothing of the more serious threat to the nation’s critical information infrastructure, which is owned and operated almost exclusively by the private sector. It is now well known and widely reported that al-Qaeda showed an interest in cyberterrorism. As networks converge, automation increases and cyber- security remains weak, the terror threat to cyberspace has emerged as a credible homeland security concern. By requiring businesses and state agencies to notify citizen-consumers when their personal information is reasonably believed to have been compromised, California has set a new standard for information security. Now, when a computer server storing financial data or a driver’s license bureau is hacked, those put at the greatest risk of fraud or identity theft can take proactive, preventive action. Knowing that personal information is in criminal hands, credit cards can be canceled, passcodes can be changed, and credit bureaus can be notified. Liability for noncompliance Under the new California law, businesses and state agencies that fail to comply may be held liable for resulting injuries sustained by the affected party. This might include fees, legal services and opportunity costs incurred to repair one’s good name and credit. Even more seriously, the act provides that any business that violates the law may be “enjoined” (although the precise meaning of enjoined is left unclear). For retailers, strong security practices decrease exposure to litigation and protects intangible assets such as reputation and good will. Companies with robust information security stand to gain, as consumers shift to sellers they deem more secure. Information security is now used as a marketing device. Consider campaigns promising not to sell e-mail addresses or personal data; litigation can drive marketing. California’s law recognizes a safe harbor for compromised encryption information, which is exempt from the act’s reporting requirement. Regardless of the extent or the seriousness of the security breach, the loss of encrypted confidential data is tantamount to no loss at all. In this sense, the act not only recognizes the value of security tools that are based on encryption, but de facto advocates them as a new standard of “security” care. While California’s unique security-breach reporting requirements are the exception and not the rule, that may change. Senator Dianne Feinstein, D-Calif., recently introduced federal legislation modeled in part on California’s law. Businesses and government agencies nationwide should take a hint from the Golden State and plug information security holes now to prevent making identity theft victims out of citizen-consumers and becoming a victim themselves-to a lawsuit. Steven E. Roberts, a homeland security consultant, is an NLJ columnist. He can be reached at [email protected].

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.