California Bill Would Require More Detailed Data-Breach Disclosures

Published June 1, 2009

A bill introduced in the California State Senate would require companies doing business in the state to provide consumers and state authorities with more detailed information about network data breaches.

Senate Bill 20, which moved out of committee and onto the Senate’s agenda in April, would force organizations that are breached to admit the extent of the compromise and provide consumers with enough information to determine whether they face a risk of harm.

State Sen. Joe Simitian (D-Palo Alto), who authored the measure, said such information, combined with simultaneous notification to state authorities, would give law enforcement, researchers, and others better data for understanding the nature and scope of the data breach problem instead of relying on reports from media outlets, which don’t cover every breach.

Simitian said he’d also like to push for a law requiring companies who allow data breaches to compensate consumers monetarily. But Simitian told those attending a Security Breach Notification symposium in Berkeley in March adding such a requirement is not high on the list of priorities for California legislators.

Beefing Up Notification
“I’ve been rooting for more detailed disclosure. This is a good thing,” said Dominique Levin, executive vice president of marketing and strategy at LogLogic, a San Jose, California-based data management solutions company. “I received a brief notification from a company recently, but what does that mean?”

Levin pointed out many of these notifications just say an account “may” have been breached.

“Should I change my account information or not? More notification is a good thing,” Levin said. “I don’t think that disclosure alone is sufficient. Businesses need to take the next step and put more preventative measures in place. And the government has to impose fines that are higher than the cost of putting those measures in place.”

‘A Serious Issue’
Scott Testa, a marketing expert at St. Joseph’s University in Philadelphia, agrees, saying the ever-increasing danger of data breaches is “a serious issue.”

“When an organization is breached, it should be taken seriously and there should be some compensation [for the affected parties],” Testa said.

Those measures, at a minimum, should include firewalls and intrusion monitoring, Levin added.

Breaches Increasingly Harmful
Mike Logan, president of Access Technology LLC in Boston, said centralizing breach notification information would help companies better determine the greatest risks and best practices for protecting against those risks. However, any such centralized information would also need to be protected from breaches.

“This will raise awareness,” Logan said. “People are fed up with their data being lost. There is room to improve.”

Data confidentiality has moved from background to the foreground in the past five years, said Nicholas Alexander, a partner with Boston, Massachusetts-based Morrison Mahoney LLP.

“It used to be that if there was a breach, it wasn’t a big deal,” Alexander said. “But now we know that people who are committing the breaches are doing so to do bad things. The breaches are much more harmful than we originally thought.”

Data Rising in Importance
“It used to be that most of the value was in goods and services [as opposed to user data], so we protected them in a number of different ways,” Alexander added. “We have laws to protect people from toxic products.”

Now that data have become so important to the overall economy and people’s way of life, similar protections need to be made available for data as for goods and services, according to Alexander.

However, Alexander cautions against creating an insurable risk, because then firms will simply buy the insurance instead of putting in place proper protections against data breaches.

Battling ‘New Bad Things’
“We can remember life 30 years ago when our private information was protected and safe,” said Jeff Kagan, an independent telecom analyst based in Atlanta, Georgia. “In today’s networked and computerized world, privacy is just a memory. Everything is online and gets hacked frequently.

“In today’s environment it makes sense if our private information is breached that we should be made aware of it,” Kagen said. We have to be able to battle the new bad things that this new information society presents.”

Phil Britt ([email protected]) writes from South Holland, Illinois.