Going Public: Dealing with the Disclosure Mandate of California's Latest Privacy Law

September 2003

If you store information on California residents, you'll be subject to a new law designed to thwart identity theft. The Privacy Council looks at ways to plan ahead.

by Jennifer Simin, edited by Gary E. Clayton
www.privacycg.com

There's a new California law designed to thwart identity theft—privacy advocates are praising it and federal lawmakers are attempting to adapt it for the nation. So why does California's Information Practices Act (SB 1386) incite such strong opposition from industry groups, corporate counsel, and business leaders nationwide? Two words: risk and reach.

The risk associated with SB 1386 applies not only to those who don't comply with the law, but to those who do as well. And the law applies not only to organizations located in California, but also to those outside the Golden State.

Effective July 1, 2003, the Act states that when an organization has a security breach resulting in unauthorized access of confidential information, the organization must immediately notify those affected of the breach. The Act affects every company and agency that stores personal information on California residents—even those entities located outside the state. Failure to notify can subject the company to class-action lawsuits or civil damages. But going public with the breach throws an organization into the court of public opinion where the ruling can be a public relations nightmare that does irrevocable damage. Would you, for instance, shop online at a Web site that said it had been compromised?

A privacy crisis is a brand-threatening crisis. Jack P. Gibson, president of International Risk Management Institute writes: "once companies lose credibility in the marketplace, their entire business franchise is in peril. There is no insurance for this."1 The question, then, is this: Can your organization or your client's organization implement a disclosure process that limits the risk of damage to brand equity? The answer, along with some practical guidelines, will require that you: (a) know the law, its intent, and the unanswered questions it presents; (b) protect personal data; (c) educate appropriate parties; and (d) prepare a disclosure process before it is necessary.

Let's start with the background requirements and work our way up to some recommended actions for mitigating risk during the disclosure process.

Know What the Law Says and Doesn't Say

To begin, it's best to clarify terms—something SB 1386 doesn't do very well in a few important instances. To read the complete text of the law visit this Web site. Below is an explanation of the provisions of the law followed by some unanswered questions (other questions are sure to be introduced in courts). You'll need to get legal counsel's opinion on these vague areas.

Exactly Who Must Provide Notice of a Breach, and When? According to the law, any state agency or a person or business that conducts business in California that owns, licenses, or maintains computerized data that includes personal information must "disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." Translation: If you have a database containing personal information on a California resident, be it employee or customer, and you even think that an intrusion on your database has been attempted, you must disclose your concern. It doesn't matter if identity theft or fraud never occurred—you've got to go public. Unanswered question to ask legal counsel: What exactly does "reasonably believed" mean?

What Constitutes Personal Information? SB 1386 defines personal information as:

an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: Social Security number; driver's license number or California ID card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Personal information does not include publicly available information. Translation: Personal information is an unencrypted name plus Social Security number or financial account number along with an access code. Unanswered question for legal counsel: There is no widely accepted industry standard for encrypting data that is "at rest"—or done being transferred—so, what level of encryption does the law require?

What Does It Mean To Disclose the Breach? The notification required by SB 1386 must be made "immediately following discovery" and "consistent with the legitimate needs of law enforcement." Notice may be provided by one of the following methods: written notice, electronic notice, or, if the cost of providing notice exceeds $250,000 or the class of violated person's records exceeds 500,000 individuals, or sufficient contact information is unavailable, substitute (delayed) notice may be given.

Substitute notice must consist of all of the following:

E-mail notice when the organization has the e-mail address
Conspicuous posting of the notice on the organization's Web site
Notification to major statewide media

This is pretty straightforward. Unanswered questions here for legal counsel might be: Who decides what a legitimate need of law enforcement is? How specific do we have to be about the depth and breadth of the breach?

What Good Will It Do?

Despite legal interpretations and the complexities of compliance, SB 1386 is designed to protect consumers and, ultimately, help businesses and organizations. Identity theft is costly to consumers and the marketplace. Speed is of the essence in stopping the damage that identity theft puts into motion. SB 1386 will help reduce the time and money spent in minimizing identity theft damage. Furthermore, it will help to increase the number of intrusions reported to law enforcement. The Justice Department has complained for years that few hacker attacks are reported to police, even though many violate federal laws. The more law enforcement knows about this crime and its patterns, the better it can be fought.

The move to enact federal legislation similar to SB 1386 is underway. Senator Diane Feinstein introduced the Notification of Risk to Personal Data Act (S. 1350) on June 26, 2003. It has been referred to the Senate Committee on the Judiciary. Getting your organization ready to comply with SB 1386 can be viewed as a head start on compliance with federal legislation that many say is inevitable. Visit this Web site to read Senator Feinstein's bill.

Practice Prevention

The best risk-mitigating method for complying with SB 1386 is to guard against data security breaches in the first place. Spending on security is often treated as an afterthought or, at best, a cost of doing business. However, to borrow another phrase from Mr. Gibson, cyberspace has become "a battleground, and unprepared businesses will be civilian casualties."2 Risk managers need to protect organizations and consumers from ever-increasing cyber attacks and even disruptions of the Internet itself. The best way to do this is to provide information technology (IT) professionals with management, staffing, and financial support.

Part of this support should include a privacy and security assessment to determine customer and employee data collection and management practices and policies, and to review if due care network security standards and baseline safeguards are in place. In your security assessment, don't forget to target attacks from within your organization as well as from the outside. A recent survey of over 500 U.S. workers performed by Harris Interactive Service Bureau found that 66 percent of participants said their coworkers, not hackers, pose the greatest risk to consumer privacy. Only 10 percent said hackers were the greatest threat. Forty-six percent said it would be "easy" to "extremely easy" for workers to remove sensitive data from the corporate database, and 40 percent classify the security level of their corporate database as somewhere between "not at all secure" and "secure." (See the detailed copy of survey results.)

Knowing your organization's privacy and cybersecurity risks will not only allow you to close the gaps these risks present, but will help you create a disclosure process rooted in reality and therefore, less likely to harm your brand. IT professionals should also encrypt data. Secure Socket Layer (SSL) is necessary and yet, simultaneously, not enough. SSL is the most widely used encryption protocol on the Internet—a de facto industry standard. But it only protects data in transit from one location to another. IT professionals must determine how best to protect data that is at rest (sitting in storage) and data that is in use (being created, viewed, or manipulated). Again, security solutions here will require commitment from management—and money.

Educate the Players

If your organization or your client's organization wants to stay one step ahead of the SB 1386 disclosure mandate, employees must be aware of the law, its requirements, internal privacy and security policies, and potential intrusion risks. To stop the bad guys, the good guys have to have a clue. The Harris Interactive survey mentioned above reveals another interesting fact: There is a shortage of U.S. workers with this particular type of clue. Of the 500 U.S. workers polled, 32 percent were unaware of internal company policies to protect customer data; 28 percent of managers said they did not have or did not know if their company had a written security policy; and 96 percent were not aware of SB 1386.

In order to know when to make a disclosure, an organization must first know that disclosure is required, under what circumstances it is required, and what an intrusion can look like. You should also ensure that any partners and vendors with whom you share information are also well informed of the law and of privacy and security standards to which you expect them to adhere.

Disclosures That Build, Not Break, Brand Equity

To return to our original question then: Can your organization or your client's organization implement an SB 1386 disclosure process that limits the risk of damage to brand equity? The answer is yes, if the organization is armed with knowledge of the law, knowledge of existing cybersecurity risks, and an understanding of the law's importance.

The disclosure process starts with a detailed plan addressing the following issues:

Who is responsible for overseeing SB 1386 compliance before and when a data security breach occurs?
Do we have business partners who could cause a data security breach for which we could be liable?
What are the criteria for determining reasonable belief that an intrusion attempt has occurred?
Who is the spokesperson for SB 1386 disclosures?
Have all staff and other appropriate parties been trained in SB 1386 compliance?
Is a policy in place on what types of records should be kept to aid in possible criminal prosecutions of hackers?
Is a policy in place on speaking publicly about privacy and security issues?

Many security experts say that despite all the best efforts, it is only a matter of time until every organization suffers some sort of intrusion attempt. So, when crafting a disclosure, keep in mind that today's consumers are going to be seeing more and more of these statements (especially if the push to introduce federal legislation similar to California's SB 1386 succeeds). While your disclosure will be noted, it certainly won't be unprecedented.

Also, be prepared for media coverage even if your situation does not require notification of the press. Local and national publications regularly run stories on the disclosure statements companies make about privacy and security breaches.

The disclosure statement you publish will be affected by the method of communication you choose, by whether or not you notify all or only California victims, and by the possible necessity of delaying notice for one of the reasons allowed by the law. A few principals, however, are wise to consider whenever creating a disclosure statement, regardless of the medium you use for communication:

Disclosure Guidelines

Notify law enforcement first. Remember that the more law enforcement knows about cybercrime and its patterns, the better it can be fought.
Become a consumer advocate. Consider educating your customers about the law before a breach ever happens, using a communication that also informs them how your organization plans to handle disclosure in the event of a breach. Inform them of current studies regarding the growth and danger of cyber attacks. This practice can go a long way in garnering trust, which in turn will have a positive affect on any disclosures you must make in the future. Remember that transparency is highly regarded in the court of public opinion.
Complete a disclosure audit. Using the results of your privacy and security assessment, develop a list of watch issues or scenarios that may lead to privacy and security breaches for your organization.
Develop a short prepared statement for each identified watch issue. Take the results of your disclosure audit and summarize your organization's message in relation to each potential threat.
Make the disclosure statement positive and forward looking. Emphasize what new protections are in place to avoid a future recurrence.
Be clear in your disclosure about inquiry procedures for affected employees and consumers. Again, transparency is highly regarded in the court of public opinion.
Designate and train a disclosure communications spokesperson. A single spokesperson for disclosure communications will ensure a consistent message. Your spokesperson should have a title that is directly connected to your organization's privacy policy. Because media coverage is likely, and shareholder inquiries are certain, your spokesperson should have strong communication skills and should be trained to answer specific questions in a decisive and positive manner.
Assess the damage. Take the temperature of non-media audiences to determine the extent to which the privacy crisis has hurt the reputation of your organization. Devise a communications strategy to restore their trust.
Analyze the media coverage. Where was your disclosure covered? Where was it ignored? Who did the best job of reporting the story? Who got it wrong or was particularly tough? Answers to these questions will create a roadmap of steps you will need to take to repair any damage done with key journalists or news organizations.
Keep your public informed with direct and substantive updates. Use e-mail, snail mail, and your Web site to keep the public informed. You may wish to consider conducting special phone-based briefings for some victims and other non-media audiences.

Conclusion

The time to prepare a disclosure process for complying with SB 1386 is before an intrusion happens, not after. A proactive approach does not mean admitting defeat prematurely. Planning ahead prevents chaos and confusion at the time of crisis. It is already easier to sway public perception in a negative direction than a positive one. Don't lend a hand where it's not needed—be prepared.

SB 1386 is a mixed bag for risk professionals. There are many unanswered questions regarding the Act that will have to be decided in a court of law. In the meantime, compliance is a slippery path surrounded by risk on all sides. Still, the law represents progress in defending the increasingly valuable asset that is personally identifiable information—good news for businesses and consumers alike. It is hoped that compliance with the law will turn the slippery path into a fast-moving highway, where secure, trusted information exchange gains traction.

Jennifer Simin is an editor with the Knowledge Products division of Privacy Council, Inc., the global resource for privacy and data protection services. Ms. Simin has edited over 10 books and interactive CD-ROMs on privacy and data protection including Privacy Manager Work Plan, HIPAA Privacy Implementation Guide, and PR Strategies for Privacy Issues. Currently, she is editor of the nation's leading privacy, data and security digest, Privacy Weekly, which is also published by Privacy Council every Wednesday. Before entering the privacy arena, Ms. Simin spent 7 years in business-to-business marketing with a focus on healthcare, energy services, and commercial real estate markets.

________________________

1"Message from the Editor"; IRMI Insights—Issue #3, September 12, 2000.

2"Message from the Editor"; IRMI Update—Issue #61, March 18, 2003.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

More Risk Management Information from IRMI
Books, Manuals, Newsletters	IRMI Online	SilverPlume Sage
Practical Risk Management
The Risk Report
Construction Risk Management
Contractual Risk Transfer
Risk Financing
Exposure Survey Questionnaire
Guidelines for Insurance Specifications
How To Draft and Interpret Insurance Policies
IRMI Insurance Checklists
RMIS Review
Free Risk Management Articles in IRMI.com
25 Risk-Conquering Ideas
Risk Management
Effective Contractual Risk Transfer in Construction
Risk Management - Why and How
Insurance Continuing Education Courses from IRMI
Litigation Management (CE)
Contractual Risk Transfer in Construction (CRIS CE)