Security flaws, like those that occurred at FTD.com and to Microsoft's Passport service, could trigger notification under the law. Online auctioneer eBay won't have to change its business practices to comply with the law, said spokesman Kevin Purseglove. "We feel the steps that we have historically always taken with regards to notifying users about the possibility of any breach will essentially be the same steps that we follow under this new law," he said. Despite such sentiments, security firms that deal with encryption or securing data have had a significant jump in inquires from companies that believe they could be affected by the law. "It's dramatic," said Jim Schoonmaker, chief executive of Liquid Machines, which sells software to ensure that data stays encrypted. "They are coming from all over the United States. Any large enterprise has customers in California, and more importantly, they are looking at this as a harbinger of what is to come." The California law exempts personal information that a company has stored in an encrypted format, and thus encrypting data may be the easiest way to comply, said Nick Akerman, an attorney with New York law firm Dorsey & Whitney. "If someone brought a lawsuit, the company would have to show that they had the data encrypted," he said. "The law doesn't apply to encrypted data. It's basically saying to companies that if you encrypt the data, you don't have to give notice." Guaranteeing the data is encrypted all the time may not be feasible for every company, so other security companies are focusing on strengthening the locks. Application security firm Sanctum secures the way people access data through the Web and other avenues. Such application firewalls check to make sure that the access to data is legitimate and not part of some attack. "While encryption is a necessary part of this, it is not sufficient," said Peggy Weigle, Sanctum's chief executive. "There are multiple weak points on the Internet chain." As the deadline for the law has neared, Santum has received numerous inquiries, said Weigle. In conjunction with other legislation that makes companies accountable for the security and integrity of the data they hold, such as the Health Insurance Portability and Accountability Act or HIPAA and Graham-Leach-Bliley, the Security Breach Information Act likely signals that more laws to protect consumers will be on the way. For example, US Senator Dianne Feinstein introduced federal legislation last week modelled on the California law. "I strongly believe individuals have a right to be notified when their most sensitive information is compromised -- because it is truly their information," Feinstein said in a statement. "This is both a matter of principle and a practical measure to curb identity theft."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
