California Security Law Could Bring Opportunity
"This will help drive much-needed attention to tightening security systems, policies and encryption methodologies," said Kevin Jackson, vice president of sales and operations at Corsa Network Technologies, a security integrator in Campbell, Calif.
Jackson said his firm expects to see more attention paid to encryption-based solutions as a result of California Senate Bill 1386, which will open up opportunities for solution providers, manufacturers and auditors in the network security space, he said.
\
Corsa's Jackson: Law will draw attention to tightening security systems.
The law, which takes effect July 1, aims to thwart identity theft. It was prompted by a breach at a state data center that exposed the personal information of more than 250,000 state workers last year. The law requires agencies and companies that maintain personal data on California residents to disclose any security breach in which an unauthorized person has accessed,or is believed to have accessed,unencrypted personal data.
Personal data, as defined by the law, is a full name combined with information such as Social Security numbers or account numbers with access codes.
Jim Kelton, president of Software Unlimited, an Irvine, Calif.-based solution provider, said many companies aren't aware that the law takes effect in July. His firm uses a five-step process that begins with making customers aware of the law and the security issues it presents. Other steps include corrective action and developing a response plan in the event of a breach, Kelton said. "We're hoping we can get some consulting as we move through these steps, but the first part is awareness," he said.
THE LOWDOWN ON THE LAW: Components of california Senate Bill 1386
>> Businesses that maintain personal data on California residents must disclose security breaches that result in unauthorized access to unencrypted personal data.
>> Notice must be immediate on discovery but may be delayed for law-enforcement purposes.>> Takes effect July 1.
Gary Morse, president of Razorpoint Security Technologies, a New York-based security-services firm, said an amazing number of security breaches go unreported, but he's skeptical about how effective California's law will be. "I'm waiting to see what the enforcement plan will be," he said.
Indeed, the law probably won't be enforced, said Mark Doll, director of Americas for New York-based Ernst & Young's Security Technology Solutions practice. "Therefore it's not going to have a lot of effect," he said.
Small companies, or those that aren't sophisticated about security, could claim that they didn't report a security breach because they didn't know about it, Doll said. And outside California, there is little awareness of the new reporting requirement, he added.
U.S. Sen. Dianne Feinstein has drafted a similar bill at the federal level, but it remains under development, according to a spokesman for Feinstein.