Information Security, ISO27001 and SB1386, and other State Breach Laws
Senate Bill 1386 (SB-1386), also known as the California Information Practice Act, was passed into law in July of 2003. The primary purpose of the bill is to force companies to think more seriously about information security and its impact on the residents of California. The law focuses on companies – primarily in the US but, in reality, throughout the world - and their need to protect the personal information of California residents.
SB-1386 requires any ‘state agency or entity’ holding personal data about customers (or employees) living in California, and that suffers a breach of security relating to any database that holds that personal information (unless the data is encrypted), to notify the entire class of customers where the security of even one of them may have been breached, however that breach occurred. The costs of communicating with every Californian on the database, in addition to the negative publicity and reputation damage for the organization, are significant outcomes of a failure to establish a best-practice information security management system.
Data breaches continue to proliferate, and the Privacy Rights Clearinghouse had, by May 2007, tracked the exposure of over 154 million data records of US residents since January 2005. Against that background, data breaches continue to attract legislative attention. Congress, however, is still failing to pass a federal breach law, and States have been leaping into the breach.
More than 20 States have now passed security breach laws similar to SB-1386. Here is the Crowel & Moring table of state breach laws. Companies that seek to avoid the penalties of compliance failure need to implement a comprehensive information security management system that will protect the confidentiality, integrity and availability of individual data.
ISO 27001 provides an independent, internationally recognized best-practice framework for achieving these objectives.
