Going Public: Dealing with the Disclosure Mandate of California’s Latest
Privacy Law
September 2003
If you store information on California residents,
you'll be subject to a new law designed to thwart identity theft. The Privacy
Council looks at ways to plan ahead.
by Jennifer Simin,
edited by Gary E. Clayton
www.privacycg.com
There’s a new California law designed to thwart identity theft—privacy advocates
are praising it and federal lawmakers are attempting to adapt it for the nation.
So why does California’s Information Practices Act (SB 1386) incite such strong
opposition from industry groups, corporate counsel, and business leaders nationwide?
Two words: risk and reach.
The risk associated with SB 1386 applies not only to those who don’t comply
with the law, but to those who do as well. And the law applies not only to organizations
located in California, but also to those outside the Golden State.
Effective July 1, 2003, the Act states that when an organization has a security
breach resulting in unauthorized access of confidential information, the organization
must immediately notify those affected of the breach. The Act affects every
company and agency that stores personal information on California residents—even
those entities located outside the state. Failure to notify can subject the
company to class-action lawsuits or civil damages. But going public with the
breach throws an organization into the court of public opinion where the ruling
can be a public relations nightmare that does irrevocable damage. Would you,
for instance, shop online at a Web site that said it had been compromised?
A privacy crisis is a brand-threatening crisis. Jack P. Gibson, president
of International Risk Management Institute writes: “once companies lose credibility
in the marketplace, their entire business franchise is in peril. There is no
insurance for this.”1 The question, then, is this: Can your
organization or your client’s organization implement a disclosure process that
limits the risk of damage to brand equity? The answer, along with some practical
guidelines, will require that you: (a) know the law, its intent, and the unanswered
questions it presents; (b) protect personal data; (c) educate appropriate parties;
and (d) prepare a disclosure process before it is necessary.
Let’s start with the background requirements and work our way up to some
recommended actions for mitigating risk during the disclosure process.
Know What the Law Says and Doesn’t Say
To begin, it’s best to clarify terms—something SB 1386 doesn’t do very well
in a few important instances. To read the complete text of the law visit this Web
site. Below is an explanation of the provisions of the law followed by some
unanswered questions (other questions are sure to be introduced in courts).
You’ll need to get legal counsel’s opinion on these vague areas.
Exactly Who Must Provide Notice of a Breach, and When? According to the law, any state agency or a person or business that conducts
business in California that owns, licenses, or maintains computerized data that
includes personal information must “disclose
any breach of the security of the system following discovery or notification
of the breach in the security of the data to any resident of California whose
unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorized person.” Translation:
If you have a database containing personal information on a California resident,
be it employee or customer, and you even think that an intrusion on your database has been attempted,
you must disclose your concern. It doesn’t matter if identity theft or fraud
never occurred—you’ve got to go public. Unanswered question to ask legal counsel:
What exactly does “reasonably believed” mean?
What Constitutes Personal Information? SB 1386
defines personal information as:
an individual’s first name or first initial and last name in combination
with any one or more of the following data elements, when either the name
or the data elements are not encrypted: Social Security number; driver’s
license number or California ID card number; account number, credit or debit
card number, in combination with any required security code, access code,
or password that would permit access to an individual’s financial account.
Personal information does not include publicly available information. Translation:
Personal information is an unencrypted name plus Social Security number or financial
account number along with an access code. Unanswered question for legal counsel:
There is no widely accepted industry standard for encrypting data that is “at
rest”—or done being transferred—so, what level of encryption does the law require?
What Does It Mean To Disclose the Breach? The
notification required by SB 1386 must be made “immediately following discovery”
and “consistent with the legitimate needs of law enforcement.” Notice may be
provided by one of the following methods: written notice, electronic notice,
or, if the cost of providing notice exceeds $250,000 or the class of violated
person’s records exceeds 500,000 individuals, or sufficient contact information
is unavailable, substitute (delayed) notice may be given.
Substitute notice must consist of all of the following:
- E-mail notice when the organization has the e-mail address
- Conspicuous posting of the notice on the organization’s Web site
- Notification to major statewide media
This is pretty straightforward. Unanswered questions here for legal counsel
might be: Who decides what a legitimate need of law enforcement is? How specific
do we have to be about the depth and breadth of the breach?
What Good Will It Do?
Despite legal interpretations and the complexities of compliance, SB 1386
is designed to protect consumers and, ultimately, help businesses and organizations.
Identity theft is costly to consumers and the marketplace. Speed is of the essence
in stopping the damage that identity theft puts into motion. SB 1386 will help
reduce the time and money spent in minimizing identity theft damage. Furthermore,
it will help to increase the number of intrusions reported to law enforcement.
The Justice Department has complained for years that few hacker attacks are
reported to police, even though many violate federal laws. The more law enforcement
knows about this crime and its patterns, the better it can be fought.
The move to enact federal legislation similar to SB 1386 is underway. Senator
Diane Feinstein introduced the Notification of Risk to Personal Data Act (S.
1350) on June 26, 2003. It has been referred to the Senate Committee on the
Judiciary. Getting your organization ready to comply with SB 1386 can be viewed
as a head start on compliance with federal legislation that many say is inevitable.
Visit this Web
site to read Senator Feinstein's bill.
Practice Prevention
The best risk-mitigating method for complying with SB 1386 is to guard against
data security breaches in the first place. Spending on security is often treated
as an afterthought or, at best, a cost of doing business. However, to borrow
another phrase from Mr. Gibson, cyberspace has become “a battleground, and unprepared
businesses will be civilian casualties.”2 Risk managers need
to protect organizations and consumers from ever-increasing cyber attacks and
even disruptions of the Internet itself. The best way to do this is to provide
information technology (IT) professionals with management, staffing, and financial
support.
Part of this support should include a privacy and security assessment to
determine customer and employee data collection and management practices and
policies, and to review if due care network security standards and baseline
safeguards are in place. In your security assessment, don’t forget to target
attacks from within your organization as well as from the outside. A recent
survey of over 500 U.S. workers performed by Harris Interactive Service Bureau
found that 66 percent of participants said their coworkers, not hackers, pose
the greatest risk to consumer privacy. Only 10 percent said hackers were the
greatest threat. Forty-six percent said it would be “easy” to “extremely easy”
for workers to remove sensitive data from the corporate database, and 40 percent
classify the security level of their corporate database as somewhere between
“not at all secure” and “secure.” (See the detailed copy of survey results.)
Knowing your organization’s privacy and cybersecurity risks will not only
allow you to close the gaps these risks present, but will help you create a
disclosure process rooted in reality and therefore, less likely to harm your
brand. IT professionals should also encrypt data. Secure Socket Layer (SSL)
is necessary and yet, simultaneously, not enough. SSL is the most widely used
encryption protocol on the Internet—a de facto industry standard. But it only
protects data in transit from one location to another. IT professionals must
determine how best to protect data that is at rest (sitting in storage) and
data that is in use (being created, viewed, or manipulated). Again, security
solutions here will require commitment from management—and money.
Educate the Players
If your organization or your client’s organization wants to stay one step
ahead of the SB 1386 disclosure mandate, employees must be aware of the law,
its requirements, internal privacy and security policies, and potential intrusion
risks. To stop the bad guys, the good guys have to have a clue. The Harris Interactive
survey mentioned above reveals another interesting fact: There is a shortage
of U.S. workers with this particular type of clue. Of the 500 U.S. workers polled,
32 percent were unaware of internal company policies to protect customer data;
28 percent of managers said they did not have or did not know if their company
had a written security policy; and 96 percent were not aware of SB 1386.
In order to know when to make a disclosure, an organization must first know
that disclosure is required, under what circumstances it is required, and what
an intrusion can look like. You should also ensure that any partners and vendors
with whom you share information are also well informed of the law and of privacy
and security standards to which you expect them to adhere.
Disclosures That Build, Not Break, Brand Equity
To return to our original question then: Can your organization or your client’s
organization implement an SB 1386 disclosure process that limits the risk of
damage to brand equity? The answer is yes, if the organization is armed with
knowledge of the law, knowledge of existing cybersecurity risks, and an understanding
of the law’s importance.
The disclosure process starts with a detailed plan addressing the following
issues:
- Who is responsible for overseeing SB 1386 compliance before and when
a data security breach occurs?
- Do we have business partners who could cause a data security breach
for which we could be liable?
- What are the criteria for determining reasonable belief that an intrusion
attempt has occurred?
- Who is the spokesperson for SB 1386 disclosures?
- Have all staff and other appropriate parties been trained in SB 1386
compliance?
- Is a policy in place on what types of records should be kept to aid
in possible criminal prosecutions of hackers?
- Is a policy in place on speaking publicly about privacy and security
issues?
Many security experts say that despite all the best efforts, it is only a
matter of time until every organization suffers some sort of intrusion attempt.
So, when crafting a disclosure, keep in mind that today’s consumers are going
to be seeing more and more of these statements (especially if the push to introduce
federal legislation similar to California’s SB 1386 succeeds). While your disclosure
will be noted, it certainly won't be unprecedented.
Also, be prepared for media coverage even if your situation does not require
notification of the press. Local and national publications regularly run stories
on the disclosure statements companies make about privacy and security breaches.
The disclosure statement you publish will be affected by the method of communication
you choose, by whether or not you notify all or only California victims, and
by the possible necessity of delaying notice for one of the reasons allowed
by the law. A few principals, however, are wise to consider whenever creating
a disclosure statement, regardless of the medium you use for communication:
Disclosure Guidelines
- Notify law enforcement first. Remember that the more law enforcement knows about cybercrime and
its patterns, the better it can be fought.
- Become a consumer advocate. Consider
educating your customers about the law before a breach ever happens,
using a communication that also informs them how your organization
plans to handle disclosure in the event of a breach. Inform them
of current studies regarding the growth and danger of cyber attacks.
This practice can go a long way in garnering trust, which in turn
will have a positive affect on any disclosures you must make in
the future. Remember that transparency is highly regarded in the
court of public opinion.
- Complete a disclosure audit. Using
the results of your privacy and security assessment, develop a list
of watch issues or scenarios that may lead to privacy and security
breaches for your organization.
- Develop a short prepared statement for
each identified watch issue. Take the results of your disclosure
audit and summarize your organization’s message in relation to each
potential threat.
- Make the disclosure statement positive
and forward looking. Emphasize what new protections are in
place to avoid a future recurrence.
- Be clear in your disclosure about inquiry
procedures for affected employees and consumers. Again, transparency
is highly regarded in the court of public opinion.
- Designate and train a disclosure communications
spokesperson. A single spokesperson for disclosure communications
will ensure a consistent message. Your spokesperson should have
a title that is directly connected to your organization’s privacy
policy. Because media coverage is likely, and shareholder inquiries
are certain, your spokesperson should have strong communication
skills and should be trained to answer specific questions in a decisive
and positive manner.
- Assess the damage. Take the temperature
of non-media audiences to determine the extent to which the privacy
crisis has hurt the reputation of your organization. Devise a communications
strategy to restore their trust.
- Analyze the media coverage. Where
was your disclosure covered? Where was it ignored? Who did the best
job of reporting the story? Who got it wrong or was particularly
tough? Answers to these questions will create a roadmap of steps
you will need to take to repair any damage done with key journalists
or news organizations.
- Keep your public informed with direct
and substantive updates. Use e-mail, snail mail, and your
Web site to keep the public informed. You may wish to consider conducting
special phone-based briefings for some victims and other non-media
audiences.
|
Conclusion
The time to prepare a disclosure process for complying with SB 1386 is before
an intrusion happens, not after. A proactive approach does not mean admitting
defeat prematurely. Planning ahead prevents chaos and confusion at the time
of crisis. It is already easier to sway public perception in a negative direction
than a positive one. Don’t lend a hand where it’s not needed—be prepared.
SB 1386 is a mixed bag for risk professionals. There are many unanswered
questions regarding the Act that will have to be decided in a court of law.
In the meantime, compliance is a slippery path surrounded by risk on all sides.
Still, the law represents progress in defending the increasingly valuable asset
that is personally identifiable information—good news for businesses and consumers
alike. It is hoped that compliance with the law will turn the slippery path
into a fast-moving highway, where secure, trusted information exchange gains
traction.
Jennifer
Simin is an editor with the Knowledge Products division of Privacy
Council, Inc., the global resource for privacy and data protection services.
Ms. Simin has edited over 10 books and interactive CD-ROMs on privacy and data
protection including Privacy Manager Work Plan, HIPAA Privacy Implementation
Guide, and PR Strategies for Privacy Issues. Currently, she is editor of the
nation’s leading privacy, data and security digest, Privacy Weekly, which is
also published by Privacy Council every Wednesday. Before entering the privacy
arena, Ms. Simin spent 7 years in business-to-business marketing with a focus
on healthcare, energy services, and commercial real estate markets.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.