Preparing to deal with California's Senate Bill 1386

From: StrongAuth, Inc. Newsletter (
Date: 12/07/02

From: "StrongAuth, Inc. Newsletter" <>
Date: Sat, 7 Dec 2002 11:17:34 -0800

This is a one-time posting. We apologize for using this forum to publish this newsletter - however
it is our belief that every security-conscious person will be interested in this law and its implications
to their companies. Regards.

     StrongAuth, Inc. Newsletter

      December 6, 2002
      Copyright © 2002 StrongAuth, Inc.





     Preparing to deal with California's Senate Bill 1386





     If you're a business, or agency of any kind, doing business in California or with Californians, and if you store confidential employee or customer information in any form of a computerized file or database, you need to prepare for California's Senate Bill 1386 (SB 1386).

      Chaptered into California's statute on September 26th, 2002, and to be effective July 01, 2003, the Bill requires, that when a business has a security breach resulting in unauthorized access of confidential information, such as Social Security numbers, Drivers License numbers, Credit/Debit Card numbers, Account numbers, etc., unless authorized by law-enforcement officials, the business/agency must notify those affected, of the breach, immediately. Failure to notify can result in civil damages and/or lawsuits against the business/agency.

      Whom does this effect? Every company and or agency that deals with California-based employees and/or customers. It doesn't matter whether you have an office in California or not; nor does it matter if your servers are in California or not – as long as you store personal information about a current California resident on a computer, the statute applies to you.

      The risk is, obviously, the highest for those that transact with their employees and/or customers on the Internet. This is because, transactions on the Internet typically involve the use of some confidential information for authentication and authorization. As a result, there is a pathway from the Internet to the confidential information, and thus, a higher potential for compromise.

      However, companies that have no Internet presence at all should not consider themselves immune – information can still be compromised on intranets and even stand-alone computers!

      No, unfortunately, a firewall does not prevent such unauthorized access. Firewalls are about as effective as the walls of your home are, in preventing burglaries. They still need to keep certain 'doors' open for legitimate traffic to pass through; consequently almost all Internet attacks today use these legitimate doorways to compromise systems.

      Secure Socket Layer (SSL) isn't much help either. This bulwark of encryption only protects information as it travels over network wires; once it reaches its destination, it must be decrypted to be used. A breach to the system, after the point of decryption, can compromise the confidential information.

      What is the risk to companies and agencies here? After all, the statute only requires notifying the people who're affected, after discovery of the breach. The risk is a public relations nightmare for companies that hold people's identity information in trust. If an e-commerce vendor's name were to show up in the local news every 2 months, it wouldn't be too long before the vendor goes out of business. Secondly, since the statute now opens up a new liability for companies, minimizing the effort required to manage SB 1386 compliance could subject the company to class action lawsuits.


      Understand the statute: This would be the first step in dealing with the law. Larger companies that have in-house Legal departments will be able to get opinions from them on the requirements for compliance. All others may want to get an opinion from an external attorney, if necessary. More information on the statute is available through the Resources link, provided below.

      Establish a task-force: Ensuring compliance will require changes to policy, procedures and the technologies that make up the company's computing infrastructure. The task force must have management commitment, funding and the mandate to bring about change. A sure way to find yourself in court is to skimp on the resources for this task-force at this stage.

      Plan for the disaster: As secure as we all believe we are, statistics indicate that its only a matter of time before a computer system is breached and information is compromised. Ensure that you have a plan to deal with it, and have gone through the drills. You don't want to practice for this, during an actual disaster.

      Bite the bullet: Businesses view spending on security as an unneeded expense that must be minimized (since it does nothing to generate revenue). While spending on security – just like the insurance premium on your liability policy – is a cost of doing business, recognize that the world has become increasingly dangerous. Cyber-attacks, unlike real-world attacks can be launched from anywhere in the world, including inside your own company. Unless businesses recognize this risk, and are willing to spend the money to protect themselves, they're subjecting the future of the company to jeopardy, as disclosure is mandated.

      Evaluate your priorities: Consumers provide confidential personal information to business, in trust. Notwithstanding the legalese, for businesses to treat it like a commodity that can be bought or sold, is a failure of that trust. While the short-term might result in increased revenues (from sales of lists), in the long-term, they engender customer dissatisfaction and disappointment. They also run the risk of their own message being trashed amongst the noise generated from the lists they sell. Refusing to divulge customer information to anyone, unless accompanied by a judicial order, is a sure-fire way to generate customer goodwill, while minimizing the potential exposure.


      StrongAuth, Inc.'s SB 1386 Resource Center.


      California has become the first state in the USA to mandate notification upon the breach of a computer system under certain conditions – others are reviewing this. Business and Industry Trade associations opposed the Bill when it was revealed. Despite the opposition, the Bill passed unanimously (39-0 in the Senate, 78-0 in the Assembly, with one abstention, absent or not voting). The writing is clearly on the wall – manage it, or let it manage you.





     Permission to reprint and forward this newsletter is granted, as long as the newsletter, including its copyright, is not modified in any manner. Comments are welcome, to





     If you do not wish to receive any more newsletters, please send an e-mail to with the word unsubscribe in the subject.

      If you are not already on the subscription list, you can start receiving this newsletter by sending an e-mail to with the word subscribe in the subject. Anonymous e-mail addresses are discouraged.