Compliance
Contact Us
- Visa PCI Compliance
- NERC Compliance
- HITECH Act Compliance
- HIPAA Compliance
- Sarbanes-Oxley Compliance
- Basel II Compliance
- GLBA Compliance
- ISO 17799 Compliance
- FFIEC Compliance
- CA SB 1386 Compliance
- DCID 6/3 Compliance
- DoD 8100.2 Compliance
- FISMA Compliance
- NISPOM Compliance
Contact Us
Home > Compliance > CA SB 1386 Compliance
California SB 1386 Security Compliance
What is CA SB 1386?
CA SB 1386 is designed to ensure that Californians are alerted whenever their personal information may have been compromised. The law requires those who own or license personal information of California residents to notify them if their data has been breached. The law went into effect July 1, 2003.
California SB 1386 was the first of many database breach notification laws. More than half the states have followed suit with similar regulations.
Who is affected by CA SB 1386?
Any agency, person, or company that conducts business in California and owns or licenses "personal information" is subject to CA SB 1386. In other words, any organization with a customer or employee residing in the state is affected.
What are the requirements of CA SB 1386?
"Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." (SB 1386)
"Personal information" is defined as an individual's name in combination with his or her social security number, driver's license number, account number, or credit card number, along with information needed to access the financial account.
A company must notify those affected by written or electronic notice when it believes an unauthorized person has obtained personal information. In cases where notification costs more than $250,000 or affects more than 500,000 people, substitute notice measures may be employed, such as notification to major statewide media, posting on the company's website, or notification by email. In practice, security breaches usually result in public disclosure.
The law explicitly states that encrypted personal information is not subject to notification requirements when it is stolen or disclosed accidentally. Thus, protection through encryption of data in motion or at rest is a universal safe harbor for companies seeking to comply with the requirements of SB 1386.
What are the penalties for CA SB 1386 non-compliance?
The law does not impose fines or minimum prison sentences, but it does specifically allow civil lawsuits: "Any customer injured by a violation of this act may institute a civil action to recover damages."
But beyond any legal verdicts, there are other significant costs to the company. Every customer involved in a data breach must be notified at the company's expense. That expense can be considerable. Current estimates of the cost of a data breach are $192.00 USD per record. Perhaps most damaging of all is the serious harm suffered by the company's brand and reputation.
How do companies comply with CA SB 1386?
Organizations can comply with to SB 1386 in one of two ways:
- Encrypt customer data. This approach takes advantage of the safe harbor provided within the bill. This means that even if a company's data is breached, as long as it was encrypted, they are not required to notify any customer.
- Companies can leave their customer data unprotected and incur the costs and losses associated with customer notification in the case of a data breach.
When you need to encrypt your data in motion, CipherOptics makes it easy. Whether you need to protect a single link, or your entire network, we eliminate the complexity of encrypting today's networks.
Our solutions combine standards-based, wire-speed encryption appliances with CipherEngine, the only policy definition and key distribution technology designed for multi-node networks. Together, they give you the highest level of data protection at the lowest total cost. CipherEngine gives you the power to protect data in motion wherever, however and whenever you want, without changes or disruptions to your network, your infrastructure, or your operations.
To see just how easy it can be to comply with CA SB 1386, call 1-877-878-6655 or feel free to ask us a question.
Learn More About:
Network Encryption
Ethernet Encryptors
IP Encryptors
CipherEngine Policy and Key Management
Helpful Resources
Text of California SB 1386