Answer:
Most Likely! California's SB 1386 Applies to All Organizations That Stores California Resident's Personal Information.
California Senate Bill 1386 was adopted on July 1, 2003 and is sweeping measure that basically mandates all organizations to announce any security breaches that MIGHT have compromised unencrypted personal data for any California resident. This information includes Social Security numbers, California Drivers License numbers, Account numbers, credit card numbers, or debit card numbers. The bill would permit the notifications required by its provisions to be delayed if a law enforcement agency determines that it would impede a criminal investigation. Below are the particulars:
Worldwide Focus
Basically this regulation can be applicable to any organization that stores unencrypted personal information for residents of California. The most common misconception of this regulation is that only California organizations need to be compliant. It is defined to include any organization in the world that does business and stores California resident information.
At a Glance
This regulation is designed by the California state government to protect the confidentiality of all California residents. In summary, SB1386 requires that anytime a network is comprised or the network administrators determine that information might have been access by an unauthorized individual, then that organization must disclose to all customers that are California residents. This can include any networks attacks, from unauthorized penetration and breaches to infected networks from viruses and worms.
Penalties
Organizations found to be non-compliant to this regulation and fail to disclose computer security breaches become liable for civil damages or face >
Mitigation Processes
Developing a comprehensive security plan should always be considered an important focus of security management objectives. However, there are several simple procedures that can be followed to mitigate this risk:
- Continuously update the enterprise Anti-Virus solutions
- Deploy a network vulnerability assessment tool that scans all the hosts on the networkand uncovers all vulnerabilities. This process should be performed monthly.
- Deploy an acceptable patch management solution that allows the network administration team to respond to any vulnerability found. A more stringent policy would be to have all files saved on a local share, disable and local saving capabilities (Floppy and USB storage) and deploy a thin client on each workstation. Some patch management solutions offer add on tools to deploy client images on each machine, which would ensure that the network workstations are always up to date with the latest patches as well as nothing but accepted files and applications will be stored on the workstation.
- Communication to and from sensitive databases, as well as the database files should beencrypted. This way if a network is compromised, the probability this information falling in the wrong hands would be less likely.
As with all security regulations and the standards that follow, practicing due diligence and developing a strong security infrastructure can greatly mitigate any risk, as well as the risk of litigation due to the result of an unauthorized attack or compromise.
print
share