California SB 1386, a new law in the Golden State, requires companies with even a single California customer to report any personal data breach to the affected parties, or be subject to civil penalties. Moreover, US Senator Dianne Feinstein (D, CA) has proposed similar legislation in Congress.
"This is a completely new type of legislation without precedent," says Ty Sagalow, COO of AIG eBusiness Risk Solutions (eBRS, New York), a provider of network security insurance. There are security best practices contained in the legislation and if the standards are met, "they will fall into the safe harbor," Sagalow says, adding that the companies still need to contact exposed clients anyway.
"It forces people to be proactive and they have to understand that they have to deal with the security," says Eitan Bauch, CEO of New York-based MagniFire Websystems, a provider of Web application firewalls. "Companies will face a public relations nightmare, not to mention specific civil penalties."
AIG's Sagalow notes, "This law is unique, in that it specifically addresses civil penalties," adding that he expects other states to follow California's model. Texas is currently considering similar legislation to SB 1386.
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio