CA Bill 1386

From The Secure Arc Wiki

Jump to: navigation, search

In the United States, the California Security Breach Information Act (SB-1386) is a California state law requiring organizations that maintain personal information about individuals to inform those individuals if the security of their information is compromised. The Act stipulates that if there's a security breach of a database containing personal data, the responsible organization must notify each individual for whom it maintained information. The Act, which went into effect July 1, 2003, was created to help stem the increasing incidence of identity theft. The Act was updated in February, 2006.

Each requirement of the law relating to Information Security is broken down further into more specific sub-requirements that can be mapped back to both the Security Principles that drive them and the Design Patterns that satisfy them.

Compliance

The following areas should be considered for compliance to the bill;

  • Data Encryption Policies - Encrypt customer data when stored, or in transit.
  • Data Classification Policies - Policies should clearly indicate the level of protection required for various information types. In this case, personal customer information would be highly sensitive data that requires a higher level of protection.
  • Incident Response Policies and Procedures - An organization should have existing incident response policies, including specifications about what forensic data should be saved and in what way. The incident response policies should include a minimum required time frame for forensic or other analysis to help determine your organizations "reasonable" notification time.
  • Incident Disclosure Policies - The best case scenario is to have specific incident disclosure policies that address the bills requirements. These policies would include discussion of the types of breaches, the data potentially lost in the breaches, and the proper people and channels responsible for notification of outside agencies.

Documentation

This legal publication is freely available on the internet. link

Navigation

Personal tools