California Law Seeks to Stem Identity Theft Tide

A California Law set to take effect July 1, 2003 seeks to stem the tide of identity theft. There is a better strategy than throwing security products at it.

"Sleeper" law set to take effect for anyone doing business in California without much notice; practical steps that covered entities can take.

Adding to the reasons for having a good information security program in place, California's SB 1386 goes into effect July 1, 2003. In an effort to stem the tide of identity theft, the law was written to require any person or company handling "personal information" of California residents report security failures.

SB 1386 isn't limited to California companies; all entities with personal information of California residents are covered. Under the law, companies that fail to protect personal information face several problems, including fallout from a public relations nightmare, defection of clients to competitors whose systems are perceived to be safer, and the potentially tremendous expense of civil liability.

Similar legislation is being considered elsewhere, including the United States Senate.

Reporting compromise requires detecting it. The capability to detect and to inform California residents of compromises is an absolutely minimum requirement. Obviously, avoiding security failures is preferable to informing your customers that you're responsible for unauthorized disclosure of their personal information.

Effective Risk Management Strategy

Ignoring risk is no longer a viable option; the most cost effective strategy is now to recognize that risk exists, that it must be managed, and that the implementation of an information security program that will identify and manage risk.

An effective information security program is a mechanism for risk management. Rather than blindly spending money on security products and services, risk management allows organizations to understand what their risks are, how they can best be addressed, and the potential impact of undesirable events.

When considering whether you have the capability to address these concerns in-house, or which vendor to provide you the support you need, be sure that you are getting satisfactory answers to these questions:

  • How will the proposed program help me to understand real risk to my organization?
  • How can I prioritize security concerns, being sure that the most effective prevention and detection mechanisms are put in place first?
  • How will the proposed program ensure that the risk management posture of the organization is in harmony with how we manage risk in other areas, e.g., liability in the marketplace, workplace, and exposure to financial risk?

Interhack offers a full range of Information Assurance services. Take a look at what we have to offer and let us work with you to define a program that gives you cost-effective help to real market concerns.

For More Information