To everyone's surprise, California Governor Arnold Schwarzenegger vetoed senate bill SB-20 last week. The bill would have required businesses to inform consumers of what data about them was lost during a breach, inform the California Attorney General if more than 500 records were lost and provide advice to consumers on how to protect themselves from their data being exploited. It was passed by both the California Legislature and Senate without opposition.
The authors of the bill had worked closely with the insurance industry and other related parties to strike the right balance between protecting consumers and not placing an undue burden on businesses. Arnold disagrees, and claims to be looking out for businesses, yet those businesses had already dropped opposition to the legislation.
The Governator and I clearly don't see eye to eye on this one. I had my debit card "skimmed" a year ago from a local Automatic Teller Machine (ATM) in Vancouver. My bank dutifully notified me and asked me to come in for a replacement card. While speaking with the clerk at my local branch to retrieve my new card, I asked "Which ATM was it where my card was compromised, or was it a shop?" The response was "We don't disclose those details to customers."
Why not? I certainly do not want to make the mistake of returning to a merchant who may have been in on the scam. Consumers who are made aware of data loss have a right to know what personal information may have been obtained about them so they can protect themselves in the future.
Today Graham Cluley posted a video about the information people will provide to random strangers. We can't expect others to protect our privacy if we don't keep our personal information safe. I think many of us are caught off-guard and are sometimes careless with this information, but we cannot become numb to the problem.
According to DataLossDB.org 76,325,137 records have been lost already in October. Some of those victims were likely previously notified and just assume there is nothing they can do. The best way for individuals to deal with 3rd-party data leakage is to simply stop doing business with companies who do not make protecting their data a priority.
California had become a leader in the United States after the passage of bill SB-1386 which provided the most stringent requirements on business and government to protect consumer data and notify consumers affected by a breach. Those of us in the data protection business had hoped California would continue to lead the way by example.
This bill would have allowed consumers to acquire more knowledge of how their information is being mishandled, but they are not entirely in the dark. They will still be notified of breaches, and their data still must be protected.
For this reason we have made it easy for our customers to purchase a bundle that includes data protection for both enterprises and small businesses.
- For email we introduced SPX technology for the Sophos Email Appliance to create simple ways of safely sending sensitive data to people outside your organization.
- On the desktop we offer full disk encryption, alongside our integrated DLP (no extra charge!) to help prevent you from ever having to notify the fine citizens of California that you've accidentally leaked their personally identifiable data.
- The Department of Defense is well aware of the risks of P2P applications and other unauthorized network activity as was demonstrated when secret blueprints were distributed online. Our integrated application control can help limit usage of programs that can accidentally share files online.
Even though it is new to many IT departments, the use of DLP, encryption, and application control is essential to protect our customers' and employees' private information. By reducing the cost and complexity, we hope to be a part of helping you stop the next 76,325,137 records from being lost.
Creative Commons ShareAlike photo of California Flag courtesy of Patrick Vroman
Creative Commons photo of Arnold Schwarzenegger courtesy of Thomas Hawk's Flickr photostream.