With California State Governor Gray Davis' blessing, a groundbreaking law calling on organizations in the state to come clean about cyberattacks will take effect July 1.
The law, SB1386, recently signed off by Davis, requires companies, non-profits and government agencies conducting business in the state to notify their California customers when their personal data is compromised due to a computer security breach.
The law's unprecedented disclosure requirement is triggered with any unauthorized access to personal data, such as customer names in association with social security, driver's license or account numbers. When outside hackers or rogue insiders gain unauthorized access to that data, the company must notify the affected California customers in "the most expedient time possible and without a reasonable delay."
State law, national statute
While SB1386 is only enforceable in California courts, it is seen as a national statute due to its broad scope. In the internet age, it is hard to imagine a major U.S. company that does not transact business in California or store personal information of California residents - the two factors which bring a company under the law's purview. Companies that fail to comply are subject to claims for damages and injunctive relief in civil actions, which may take the form of sweeping class action lawsuits.
The far-reaching law raises several compliance challenges for corporate counsel and computer security directors. For instance, disclosure is mandated when a company has a reasonable suspicion of an actual compromise of the protected data. But, what constitutes a "reasonable suspicion"? Do all customers need to be notified? Even if a significant network security breach occurs, can a company properly establish whether or not the incident resulted in actual compromise of protected data? How can a company prove in court that an incident did not result in unauthorized access to protected data? If a hacker or rogue insider gains such unauthorized access, under what circumstances can a company delay such notification?
Meeting the challenge
These challenges can be effectively addressed through comprehensive incident response planning and implementation of enterprise computer forensics investigation processes. Primary purposes of a comprehensive computer incident response include identifying the wrongdoers (whether the perpetrators are operating from the internet or as insiders) and determining the cause of the incident to enable remediation.
Another critical component of incident response planning is the computer forensics investigation process for preserving, recovering, analyzing and documenting computer evidence. Enterprise computer forensics capabilities enable an organization to quickly and effectively investigate a computer security incident to determine the nature of the compromise, what systems and files were accessed, and accurately respond to, remediate, and, if necessary, refer the incident to law enforcement.
Right responses are critical
For instance, disclosure is required when a company has a reasonable suspicion of an actual compromise of the protected data. Some experts are concerned that this provision may force blanket disclosures whenever a serious network intrusion or compromise by an insider is detected. Computer forensics provides companies with the ability to make informed decisions on the scope of any disclosures based upon the detailed results of such investigations.
Additionally, comprehensive enterprise computer forensic investigations will enable companies to defend themselves against frivolous lawsuits that this legislation may very likely spawn. Without proper incident response planning and preservation of computer forensic evidence, corporations will face serious difficulties in defending themselves against such claims.
Another important component of the California law provides that disclosure is not required if the data accessed was stored in encrypted form. Computer forensic analysis can determine this, and in addition can confirm or rule out the use of any password cracking or decryption tools.
If an incident and unauthorized access is confirmed, companies may delay disclosure under certain circumstances. Agencies that prosecute cybercrime are often reluctant to become involved if a company has mishandled or compromised the computer evidence by failing to follow proper protocols. When a company conducts a proper computer forensics investigation, the chain of custody of digital evidence is preserved from a corporate security team to law enforcement.
SB1386 is a statute of substantial importance that requires advanced planning, training and implementation of proper procedures to ensure compliance. Incident response planning that includes proper computer forensics protocols will go along way toward an enterprise achieving its SB 1386 compliance goals.
John Patzakis is president and CEO of Guidance Software, Inc. (www.guidancesoftware.com).