The Bulletin – November/December Edition
Technical Tips
By Tom Snyder Ph.D.

The California Privacy Act, which took effect July 1, 2003, provides that “Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

The following are answers to common questions regarding this law as well as suggestions for how to comply from a technical perspective.

What is “Personal information”?

Personal information consists of an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
• Social security number.
• Driver's license number or California Identification Card number.
• Account number, credit or debit card number, in combination with any required
security code, access code, or password that would permit access to an individual's financial account.

Is our business affected by this law?

Financial institutions, credit card companies, and automobile rental companies have data within the specified categories. Any business that sells via the Internet, mail or telephone will likely possess credit card information and therefore be affected. All employers have their employees’ social security numbers.

So if we encrypt our data are we exempt?

Not necessarily. Given that your data was obtained by a person skillful enough to bypass other security measures, how do you know that your data encryption keys were not simultaneously compromised? As a result, encryption keys should not be thought of as your only or even your first line of defense. Other items include, anti-virus, firewall, strong passwords and physical security.

Are we required to take proactive action to prevent data from being compromised?

No, although it would be prudent to do so, the law does not require you to take any measures to prevent the compromise of personal information.

Are we required to take proactive action to determine if a compromise of data has occurred?

While the law says what notice you must provide should you know or “reasonably believe” that personal information was compromised, it does not say what action you must take, if any, to proactively determine whether there has been a breach of security.

What steps should a business take in light of this new law?

• Read the law in detail and discuss it with your legal counsel
(http://www.privacy.ca.gov/code/cc1798.291798.82.htm)
• Inventory what “personal information” is maintained in computerized records,
including personal information held by third parties.
• Review security protections in place to ensure that you have taken reasonable and prudent measures for protecting personal information.
• Develop reasonable procedures for detecting, investigating and reporting intrusions to responsible officers of the company.
• Develop policies and procedures for notifying law enforcement in the event of a breach.
• Develop policies and procedures for notifying California residents in the event of a breach, including:

o identifying California residents
o who makes the determination if the law is triggered
o the content of notices to affected individuals
o the means of giving notice to affected individuals

=========================
If you have questions or concerns about your particular situation, please e-mail me at tpsynder@xantrion.com.. I will use your input to direct future columns.
=========================