California's data breach law has forced organisations to take data security seriously -- and has given consumers the tools to protect themselves against fraud, according to one of the architects of the legislation.
The law -- known as SB 1386 -- obliges Californian state agencies or businesses to disclose data security breaches to residents if their unencrypted personal information may have been compromised.
The introduction of the data breach legislation in California has been followed by similar moves from other US states and momentum is building for the introduction of parallel laws around the world.
Californian state senator Joe Simitian, co-author of the Californian data breach law, said it gives consumers the power to protect themselves.
He said: "The fundamental thinking behind the bill was if people didn't know they were at risk they wouldn't be in a position to protect themselves. What you don't know can hurt you and ignorance is not bliss. The first step in being able to protect yourself is knowing that you are at risk.
"The legislation is about giving consumers the knowledge they need to protect themselves."
The legislation has also forced companies to improve the security of their customer data. Simitian added: "Once folks know they are required to disclose the breaches they get more serious about security precautions."
And he said because most databases don't have California-only information, if an organisation has to notify Californian customers it is hard for them to leave customers in the other 49 states in the dark. "It has become effectively a national data breach [law] because most of the databases are not limited to California," he said.
Under the Californian law only leaks of certain personal information require an organisation to notify its customers. This personal information is defined by the legislation as an individual's name in combination with other specific pieces of information, when either the name or the other information is not encrypted.
These other elements include social security numbers, driver's licence numbers, or account numbers or credit/debit card numbers in combination with any required security code or password that would permit access to an individual's financial account.
Under the legislation companies can delay notifying customers if a law enforcement agency thinks that it would impede a criminal investigation. The disclosure should be made in the "most expedient time possible and without unreasonable delay".
The notice given to customers can be written or electronic. If notification would cost more than US$250,000 -- or if more than 500,000 people are affected -- e-mail and/or notices on the organisation's Web site, as well as notification to major state-wide media, could be used instead of postal notification.
The legislation has had a positive effect on security, according to Deirdre Mulligan, clinical professor of law at the UC Berkeley School of Law.
She said: "I believe that the law has heightened the attention paid to information security. The initial impact of the law was likely to make incidents public but the lasting effect should be to reduce the number and severity of breaches by creating incentives to invest in security."
Mulligan said her research had shown that security breaches drive information exchange among security professionals -- for example, some chief security officers summarised news reports from breaches at other organisations and circulated them to staff with 'lessons learned' from each incident.
She added: "The goal of the law was to improve security practices, not provide notices. Research and anecdote both suggest that it has improved practices along many dimensions. As practices improve, notices should decrease."
Some organisations have a 'that could have been us' moment and patch systems with similar vulnerabilities to the organisation that had a breach. The introduction of the legislation has meant an improved focus on security and better information about costs of failure, which allows for sounder investments, Mulligan noted.
Steve Ranger writes for silicon.com
