Adhering to the Californian Senate Bill 1386 is crucial for any organization dealing with the personal information of individuals based in California. Specific privacy breach reporting requirements are set out in SB1386, for organizations that hold electronically stored personal information. Failure by an organization to comply by informing individuals when their personal information has been compromised, or even a suspected breach has taken place, can have catastrophic consequences. SB1386 states that individuals have the right to bring civil cases against those organizations that fail to inform them of a breach. Therefore, costing an organization both in financial terms, and in damage to corporate reputation with the negative publicity brought by a breach and in shaken consumer confidence.

In April 2007, California State’s CIO IT Council developed and adopted The Information Security Program Guide, a guide to aid organizations in compliance with SB1386. The guide strongly recommends the use of the Information Security Standard ISO/IEC27002:2005 as the best all purpose approach to meet the demands in SB-1386.

ISO27002 gives the user detailed guidance on vendor neutral best practice information security management, making it the perfect choice for any organization that must comply with SB-1386.

The IT Governance comprehensive SB-1386 & ISO27002 Implementation Toolkit is specifically designed by experts in data compliance legislation, to guide organizations and agencies that must act in accordance with with SB1386; it conforms to ISO27002 and, if desired, also helps organizations prepare for external certification (ISO27001) that would demonstrate conformance to such a standard.

This document 'Compliance with California Senate Bill 1386 Requirements cross-referenced to ISO27002’ lists the SB1386 compliance recommendations provided in the State of California’s office of Privacy Protection’s Recommended Practices on Notice of Security Breach Involving Personal Information (May 2008 Revision) and identifies the relevant clause(s) in ISO27002 and the IT Governance SB-1386 & ISO27002 Toolkit

An ISO27002 compliant Information Security Management System provides an information security infrastructure that gives cost effective regulatory compliance with not only SB-1386, but a whole host compliance legislation, including

• HIPAA,
• GLBA,
• SOX, 
• PIPEDA,
• PCI
• and many other State Breach laws.

The Comprehensive SB1386 Implementation toolkit comprises of:

1. The SB 1386 Documentation Toolkit: a download with nearly 400 of densely packed pages of fit-for-purpose policies and procedures ensuring full compliance with SB 1386.

2. International IT Governance: An Executive Guide to ISO 17799/ISO 27001 (Soft Cover) This is the US version of the long established world leading manual on designing and implementing an Information Security Management System (ISMS) in line with the best practice guidance of ISO27001/ISO17799.

3. vsRisk™- the Definitive ISO 27001: 2005-Compliant Information Security Risk Assessment Tool which in summary:

· automates and delivers an ISO/IEC 27001-compliant risk assessment
· Uniquely, can assess confidentiality, integrity & availability for each of business, legal and contractual aspects of information assets – as required by ISO 27001
· Comprehensive best-practice alignment:
· Supports ISO 27001
· Supports ISO 27002 (ISO/IEC 17799)
· Conforms to ISO/IEC 27005
· Conforms to NIST SP 800-30
· The wizard-based approach simplifies and accelerates the risk assessment process;
· Integrated, regularly updated, BS7799-3 compliant threat and vulnerability databases

4. Plus an electronic copy of the Information Security Standard ISO/IEC 27002: (formerly ISO 17799)