 Washington's SSB 6043 - on the heel of CA's SB 1386
And so, another state follows in the footsteps of California! Two weeks ago, Washington state enacted Substitute Senate Bill 6043 (SSB 6043) , a law requiring companies and government agencies that own or license personal information of Washington residents, to notify them of breaches to systems holding that data. The law goes into effect July 23, 2005. To anyone even remotely informed about computer security, this does not come as a surprise. Beginning with ChoicePoint's disclosure in February 2005, (about a breach that resulted in the theft of personal data of more than 140,000 US residents), a wave of computer breach disclosures from companies all across America has left the country reeling: - Polo, Ralph Lauren - April 15, 2005; 180,000 identities affected
- UC San Francisco - April 6, 2005; 7,000 identities
- UC Davis - April 5, 2005; 1,100 identities
- UC Berkeley - March 29, 2005; 96,000 identities (It seems like the UC system is faring especially badly - almost every school in the UC system has disclosed a breach to its computers within the last year, and this was the second disclosure for Berkeley within the last 6 months)
- Kellogg (NWU) - March 20, 2005 - 3,500 identities
- Boston College - March 17, 2005; 100,000 identities
- California State University - March 16, 2005; 59,000 identities (Yes, there is a higher than average representation of educational institutions in all breach disclosures)
- DSW - March 10, 2005; 1.4 million identities
- Lexis-Nexis - March 9, 2005; 310,000 identities
- Bank of America - February 25, 2005; 1.2 million identities
All this, in just the last 60 days! These computer breaches came to light only because a California law (SB 1386) requires disclosures of computer breaches affecting personal identity information to Californians. Since it is highly likely that the remaining 49 states fare no better or worse than California when it comes to computers, it boggles the mind to imagine what is NOT being disclosed to residents of the remaining 49 states. ChoicePoint admitted in Senate hearings that, but for California's SB 1386, they would never have disclosed their breach. SSB 6043 is identical to California's SB 1386 in every respect, with the exception of two features: - In addition to private companies, SSB 6043 requires all Washington government agencies - state, county and city - to comply with the new law. California's SB 1386 required only privately owned companies and California state agencies to comply; city and local government agencies were exempted. (The official definition of "agency" per Washington law can be found here;
- It allows the owner/licensor of data to NOT make a disclosure if the owner/licensor determined that the breached data was not likely to be subject to criminal activity.
We believe the second difference to be highly controversial as it can have the effect of rendering this law ineffective. The law does not provide for an independent or objective process or test for determining whether a person's identity data may be subject to criminal activity. As such, it leaves a huge loophole open for companies to justify not disclosing breaches, unless faced with irrevocable evidence. This can have the effect of falsely reassuring Washingtonians' fears, while in reality breached information may be causing them harm.
Solution
For those who have unequivocal evidence, or believe there is a reasonable likelihood that the data is subject to criminal activity, what must they do to comply with SSB 6043? Precisely the same things they might do to comply with California's SB 1386. Since SSB 6043 and SB 1386 are similar, and since we've already documented what companies must do to ensure compliance to California's SB 1386 at our website and through our newsletters, we will only summarize what companies/agencies must do to ensure compliance to the new law: - Establish a policy that describes what the company/agency will do to deal with sensitive data
- Establish clear procedures to describe the detailed steps the company/agency will execute to ensure compliance
- Train company/agency personnel to ensure everyone knows their responsibilities BEFORE a breach occurs
- Use an optional control-tool to help manage the workflow associated with compliance, and for evidence-retention purposes
While these steps are necessary to deal with SSB-6043 or SB-1386 in a controlled manner, Chief Security Officers/Chief Privacy Officers responsible for the security of sensitive data must initiate other long-term measures to decrease the likelihood of a breach to their systems. Once again, they are summarized here from past newsletters: It is a reasonable assumption, that if a single Federal breach disclosure law does not go into effect this year, companies will have to deal with many state laws to deal with the issue. Given the evidence and given the intense focus, companies will do well to address it now rather than in the heat of the breach. Summary
With the recent spate of breach disclosures, Washington is the first state to follow in the footsteps of California. It enacted SSB 6043 two weeks ago, requiring companies and government agencies to disclose computer breaches affecting personal data of Washington residents. StrongAuth has heard that no less than 20 states have similar bills winding through the legislative process currently; it has not been able to corroborate this, but believes this to be reasonable given recent events. It is confirmed, however, that the US Senate is expected to propose Federal legislation modeled along California's SB 1386. Companies that deal with sensitive data belonging to US residents, will sooner or later, have to put measures in place to comply with laws such as SB 1386 or SSB 6043. The sooner companies have their plan in place, the easier it becomes to deal with the consequences of a breach disclosure. 
|
