Businesses are unprepared for a new law under which they must notify customers if personal data is compromised, say legal experts. A new California law requiring companies to notify customers if their computerised personal data is stolen will be difficult to comply with because companies may not always know when a theft occurs, security and legal experts said on Tuesday.
"Once you have a break-in you really don't know what's been taken,'' said Richard Smith, a security and privacy expert. "This is going to be a big burden for companies to have to send out these notices." Smith and other experts said the law is a good idea, but that the logistic and enforcement issues might make it less than effective initially.
"Companies are not prepared to notify customers. They're all going to wait and see,'' said Bruce Schneier, chief technology officer at Counterpane Internet Security, a network monitoring firm. He predicted it will be difficult to enforce the new California privacy law since computer intrusions typically only come to light if someone tries to use the data, for example, to steal an identity. Under the law, companies must notify California residents if their unencrypted personal data, name and social security number, driver's licence number or credit card number and password, are "acquired'' by an unauthorised person or believed to have been stolen.
"I think most companies don't encrypt their computer data. I don't think they could even tell if somebody hacked in and took information,'' added Nick Akerman, a New York lawyer and former federal prosecutor who specialises in computer fraud and intellectual property law. "I would be very surprised if most companies are prepared for this.'' The law also offers exceptions for companies and data involved in ongoing investigations, a situation Schneier said could be abused.
News source: ZDNet (UK)