120 likes | 272 Views
California Individual Privacy Senate Bill 1386. Effective July 01, 2003. Content . Requires all institutions and organizations that collect certain personal information to protect it against possible "identity theft."
E N D
California Individual Privacy Senate Bill 1386 Effective July 01, 2003.
Content • Requires all institutions and organizations that collect certain personal information to protect it against possible "identity theft." • If an incident occurs that involves the compromise of personal information, the individuals whose personal information may have been compromised must be notified
Preventive Measures • implementing rigorous policies and controls; • re-architecting the critical infrastructure and/or applications; • elimination of User ID's and Passwords; • use of encryption beyond the network;
Personal Information • First name OR first initial and last name in combination with one or more of the following: • Social security number • Or driver's license number • Or California identification number • Or financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
Who is effected? • Any business, government or non-profit agency, or individual that stores confidential information about California residents on their computers. • As long as you have a single employee or customer that resides in California, and as long as you store any confidential personal information about that employee or customer on a computer, you will need to comply with SB 1386.
Notification A company may choose to use a Substitute Notice, instead of the direct mail or electronic notice if: • There are more than 500,000 customers or employees to be notified OR • If the cost of disclosure is expected to exceed $250,000
Notification The Substitute Notice consists of using ALL of the following means of communication: • E-mail, if the company/agency has an e-mail address on file; • Posting on a publicly-accessible web-site, if the company/agency maintains one; and • Notification to major statewide media such as newspapers, television and radio.
Enforcement Responsibility • The Attorney General of the State of California, and the Federal Trade Commission have put together comprehensive lists of things to do, which I won't repeat here; their sites can be accessed at http://caag.state.ca.us/idtheft/tips.htm and http://www.consumer.gov/idtheft/ respectively. Go to both these links and follow the instructions given there.
Recent Security Breaches Disclosures • Window smashed, data lost – March 2004 • A thief smashed the rear window of Larry Saltzman's Saab not long ago and stole his gym bag, a gold watch, credit cards, a few hundred dollars and the names, addresses and Social Security numbers of about 95,000 Bay Area residents. • UCLA laptop theft exposes ID info - Nov. 2003 • Representatives of the University of California, Los Angeles, are warning 145,000 blood donors they could be at risk for identity theft due to a stolen university laptop. UCLA's Blood and Platelet Center included the advisory in a letter sent last week to all who donated blood through the organization.
More Examples • http://www.strongauth.com/regulations/sb1386/sb1386Disclosures.html
Interesting Links • UCSB IT Site • Actual Bill - Text • Security Management PDF