Calif. law protects us from security breaches

No matter where you live in the United States, your protection against identity theft is about to get better. And you can thank the California legislature for that.

As of July 1, a new California statute requires any business with customers in California to alert those customers if anyone steals sensitive private information that could lead to identity theft (like your name combined with your Social Security number, driver's license number, or financial account information). The notifications must go out even if the company merely suspects a cyberburglary.

The law requires disclosure only if the information at risk is unencrypted. Any company that fails to inform California customers that their information was stolen could face costly lawsuits.

The effect of the new law will reach well beyond the borders of the Golden State, says Chris Hoofnagle, deputy counsel for the Electronic Privacy Information Center, a privacy advocacy group. "A lot of businesses that operate nationwide will treat all their customers as though they're Californians," Hoofnagle says.

After all, many large Internet companies have difficulty distinguishing exactly where a customer lives; on file they may have only an e-mail address, for instance. And customers in Oregon or Maine won't be happy to learn that they weren't notified of a security breach just because of where they live.

Previously, companies that fell victim to malicious hackers or other kinds of computer data theft have been able to keep the details of the crime under wraps, out of sight of their customers and stockholders. When a hacker stole credit card information from online music store CDUniverse and demanded US$100,000 to keep quiet about the crime, the company contacted the U.S. Federal Bureau of Investigation. But it didn't let customers know about the security breach until the 18-year-old Russian cyberthief posted the credit card information online.

"It's common sense that individuals should be notified when their personal information is stolen from companies," Hoofnagle says, "but there was no law that required this until now."

Most important, Hoofnagle says, the law will make companies wary about asking for and storing sensitive information that the firms don't need, and this change will help both the companies and their customers. You run less risk of identity theft overall if your information is in fewer places, and if the places with the data protect it more securely. "Businesses will be less likely to collect (Social Security numbers) in the future," Hoofnagle says, "and that will be good for privacy."

Subscribe to the Best of Macworld Newsletter

Comments