The Cenzic Hailstorm® solution helps companies comply with AB 1950, allowing companies to use automated processes to manage their security. Hailstorm is a key tool for preventing breaches.
California Identity Theft Laws
And Application Security
AB 1950, SB 1386, and BeyondTable of Contents
Executive Summary........................................................................................................................3
Rising Public Anxiety About Identity Theft.........................................................................................4
The California Legislature Steps In...................................................................................................5
(a) SB 1386: Security Breach Notification...........................................................................6
(b) AB 1950: Protection of Personal Information..................................................................8
Identity Theft Laws Beyond California...............................................................................................10
The Application Security Link in the Compliance Chain......................................................................10®The Cenzic Hailstorm Solution for Assisting in Identity Theft Law Compliance ...................................11
California Identity Theft Law Compliance Chart.................................................................................13
Appendix SB 1386 and AB 1950: Selected Sections from the California Civil Code ............................16
Cenzic developed this white paper with the assistance of Infoliance, Inc. (www.infoliance.com)
Nothing in this white paper is intended as legal advice. Please consult competent legal counsel if you have legal questions.Executive Summary
An April 2002 security breach at California's Stephen P. Teale Data Center triggered public outrage. It eventually led to California's security breach notification law called SB 1386. SB 1386 calls for notification of California residents following some kinds of security breaches. On January 1, 2005, California legislation called AB 1950 went into effect. It requires businesses to protectcertain "personal information." A steady wave of security breaches involving the theft or loss of personal information in 2005 underscores the vulnerability of personal information to hackers seeking identity theft targets. It is likely that incident response costs, legal fees, and the losses from tarnished reputations imposed enormous costs on the organizations falling prey to these security breaches.
AB 1950 addresses companies owning or licensing certain personal information about California residents. These companies must implement reasonable security procedures and practices to prevent the unauthorized access, destruction, use, modification, or disclosure of that personal information. SB 1386 requires businesses and state agencies to notify California residences of breaches in the security of certain "personal information" in computerized records. Other states have enacted legislation similar to SB 1386. Federal legislation is pending in Congress.
Application security and automated tools to assess application security vulnerabilities protect computerized information accessible through web-enabled applications. Accordingly, application security tools are crucial for preventing unauthorized access, destruction, use, modification, or disclosure of personal information available through web applications, as required by AB 1950. ®The Cenzic Hailstorm solution helps companies comply with AB 1950, because companies can use automated processes to asses risk, check for vulnerabilities, test code and controls during software development for the purpose of preventing unauthorized access, destruction, use, modification, or disclosure of personal information. Also, companies that successfully prevent security breaches have no breaches to report under SB 1386 or similar laws. And the Hailstorm solution is a key tool to preventing breaches from occurring.WHITE PAPER
I. Rising Public Anxiety About Identity Theft
On April 5, 2002, hackers exploited vulnerabilities in a server holding a database of personnel information on California's 265,000 state employees. The victims included then-Governor Grey Davis and 120 state legislators. The security breach at California's Stephen P. Teale Data Center in Rancho Cordova compromised names, Social Security numbers, and payroll information. Public outrage soon followed the May 24, 2002 public ... [download for more]
