SB 1744 Senate Bill - AMENDED:
Existing law requires any agency, or a person or business conducting business in California, which owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The bill would require that an agency or a person or business that has suffered a breach of the security of the system to provide 1 year of a credit monitoring service, as defined, without charge offer to pay the fees associated with placing a security freeze on consumer credit reports to each person whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
The bill would require specified information to be included in the notice given to California residents pursuant to these provisions and would require a copy of these notices also be provided to the Office of Privacy Protection. The bill would also make technical changes to these provisions.
----------
To me that's a bit bonechilling...but at the same time... there's a part of me that says maybe stuff like this is the key to get folks to wake up and start taking security seriously.... the next time one of your small businesses that handle names or credit card numbers or anything.. and either due to the fact that they cannot (vendors won't support encryption) or they don't want to take security seriously... quantify the costs of offering to every single one of their potentially affected clients or customers... a year's worth of credit monitoring service. Now then, now that you have THAT quantifiable cost stuck in your brain.. think about the stuff that doesn't have a price tag on it... unless you are in the Business valuation biz like I am.
- Business reputation
- Client trust
- Public Relations impact
Quantify those... quantify the value of your business... now then... are you.. RIGHT NOW...this very moment doing "good enough" security to ensure that you are taking reasonable security precautions to protect the valuable data you have? I know I'm not doing as much as I should and I could do more... I know my vendors (and I'm not talking Microsoft here..but CCH and Intuit) are definitely NOT doing enough to HELP me protect my clients data. I know that I need to do a better job of end user education. My gang know enough to ask me ..but I could do better here. I need to add remote control software and better management of home machines that connect to my network. They are just as much a part of the security fabric of my network. I want to do (I need to do) a better job controlling/filtering/protecting email. Even though sometimes I don't quite consider SPAM as a security risk.. the fact that it's an example of social engineering that's slithering it's way into my firm means I need to do more.
No, it's not law... but it's having a hearing in a few days.... and you know what... while there's a bit of a chill factor in reading that proposed law... it's hard to argue against it, isn't it? We do need to step up to the plate and do our part. And we're really not, are we?
So pay for security in your networks..a cost to ensure that "nothing bad happens" (as someone is apt to say in his speeches and book), or pay for it later... and at a much higher cost than you intended to....a real cost to your business.
Quantify doing nothing... absolutely nothing at all.... and soon you'll realize it has a much higher cost to your business than the price tag of "nothing bad happening".