Issue TOC Print full article Print this page Download as PDF E-Mail this URL Discuss this article Flame the author     In this article Introduction All in the Implementation Gramm-Leach-Bliley Whip Out the Crystal Ball HIPAA An Open Door Policy Sarbanes-Oxley Executive Summary Law vs. Regulation FYI With 1386, California Leads the Way Hospitals Get HIPAA Web Links Epoll Results

In most states accountability does not go back to the original source: the patient or customer. Neither GLBA nor HIPAA require enterprises to inform customers if their personal or private information is compromised, and there is no comprehensive federal law protecting privacy in the United States. Such laws have generally fallen to the states.

Some states have responded, with common law providing remedies for intrusions into the private affairs of their citizens and protecting their private facts from public disclosure. Other states continue to be at the forefront of protecting privacy.

California signed SB 1386 into law in 2002, and it became effective on July 1, 2003. SB 1386 protects California citizens' personal information, including social security, driver's license, credit card and financial account numbers. SB 1386 requires any state agency, person, or business with computerized data that includes unencrypted personal data of a California citizen to disclose breaches in security that compromise that information. The law requires the disclosure to be made as speedily as possible, and any company--regardless of location--that does business with California citizens is affected.

Many people will be watching to see if this law will hold up in court and how it will be enforced by the state attorney general. For example, the law is not precise in regard to what security breaches may trigger the notification requirement, and it is also vague as to the time frame to send the notification.

But don't be shortsighted. Look into encrypting private information in your databases and files. It makes good business sense, and your customers will be more confident in their relationship with you. Besides, we predict that the federal government will follow California's lead because if it does not, enterprises may face a patchwork of 50 different state laws. That would be bad for business. And at the very least, 1386 shows that one state recognizes who owns personal information and who should be informed when it is compromised.