Reflections on California Law SB1386
California’s SB1386 statute requires (among other things) that commercial organizations promptly notify potential victims of data security breaches if such individuals are California residents. It is hard to believe that this legislation has now been in effect for over five years. What impact has the legislation had? How could its provisions be improved? What is likely to happen next?
Assessing the impact of SB1386 is not at all difficult. Simply put, this legislation has been groundbreaking; it has served as a catalyst for similar legislation in over 40 states within the US. A number of states have passed legislation that has improved on the various weaknesses and omissions within SB1386. The result has been good for the US public; prompt notification of individuals potentially affected by a data security breach ostensibly lowers the likelihood that personal and financial data will be misused by computer criminals. At the same time, however, SB1386 has not generated sufficient momentum for national data security breach notification legislation. Numerous attempts to get the US Congress to pass data security breach notification legislation have failed; opposition has primarily come from Congresspersons who are concerned that prompt notification will cause businesses to incur additional financial expenses.
SB1386 has also made some impact on IT departments and particularly within IT security functions within commercial organizations in that it has forced both to consider and prepare for “what if” scenarios in which data security breaches occur. After all, the need for compliance has lately served as a greater motivator for implementing control measures within the IT and IT security arena than has security-related risk itself. Consequently, many organizations, especially ones that store and process massive amounts of personal and financial information, have had to come to grips with data security breach notification requirements by either developing procedures for doing so or by turning to third-party service providers to provide notification when called upon to do so.
SB1386 itself is not exactly any kind of model of perfect legislation. First, it applies only to commercial organizations (although it has inspired non-commercial organizations such as the University of California-Berkeley to notify potentially affected individuals after massive data security breaches have occurred). Second, it does not offer direction concerning exactly when notification must occur—something that is potentially extremely critical in that the longer the delay in notification, the greater the risk of identity theft. Third, it does not give much guidance concerning how notification must occur. The most effective method of notification is mailing letters to individuals, but this method is not required, and in fact SB1386 mentions that mass media such as television broadcasts can be used in the case of massive data security breaches. Unfortunately, methods based on information dissemination through mass media are likely to reach a far lower percentage of individuals than other methods. Additionally, SB1386 exempts organizations that encrypt personal and financial data from the requirement to notify potentially affected individuals, even though extremely weak encryption (e.g., ROT-13) that is trivial to break may be used. At a minimum, this statute should have specified the minimum acceptable level of encryption.
What’s in the future? California legislators have repeatedly tried to pass legislation intended to improve upon SB1386’s weaknesses, only to face Schwarzenegger vetoes. Even if he is not recalled, Schwarzenegger is getting close to being a lame duck. Eventually, someone who is more sympathetic to customer and consumer welfare will become governor of California; at that time improved data security breach notification is likely to be signed into law. The same is likely to be true of the federal government. The public is demanding change, and is likely to get it, with the upcoming national elections being the most likely catalyst. The public wants and needs national statutes that greatly lessen the probability of identity theft. Sooner or later, it will be pleasantly surprised to see that national data security breach notification legislation has been signed into law.