Simon Davies: Privacy's New Image

America's new rules of privacy are coming from the Old Country. Here's how Europeans like Simon Davies are getting America to rethink privacy.

California has enacted a law that will have an equally wide-reaching effect on corporate privacy practices. The Security Breach Notification Act went into effect on July 1 requiring companies to disclose details if they believe a breach has led to the release of personal information. The data covered by this law is an individual's name combined with one or more of the following unencrypted pieces of information: Social Security number, driver's license or ID card number, or an account, credit or debit card number with the password that accesses that financial information.

While the law is intended to make citizens aware of potential abuses of their personal and financial data, it is likely to create a public relations nightmare for companies that will have to quickly go public with suspected breaches even if they later discover that no personal information was actually compromised or used. Any company with customers in California must comply with the law regardless of where the company is based. "As consumers, we're going to be getting lots and lots of notifications," says Westin. "Hacking into customer files, laptop thefts and [accidental] information disclosuresthese things happen every day. And under this California law, it creates an extraordinary exposure." As an example, Westin recalls receiving a call about three years ago from a company that handled benefits information for various employers. A car belonging to one of the company's sales reps was broken into, and a laptop was stolen that contained the personal records of 50,000 employees complete with names, addresses, Social Security numbers and income informationan identity thief's Valhalla. The company suspected that the laptop was stolen merely for resale value, but it wanted to know from Westin whether it should notify the employees that their information's security was in potential jeopardy. At the time he advised the company to not directly notify employees but make some contacts within the employee group so that if any information was used improperly, they would hear about it quickly; contact the police in case the laptop turned up at a pawn shop; and certainly require salespeople to encrypt their files in the future. Hundreds of companies will now face this same dilemma without the option of taking a wait-and-see attitude.

Yet, regardless of who manages privacy, the CSO's role is to bridge the gap between what is promised and what is possible. "The CSO has to to carry out, understandand if necessary, challengethe assumptions of policy-makers, especially when those policies place a demand on systems that the CSO knows can't be met," says Westin. These evolving standards further underscore the importance of having the security and privacy policies and practices inextricably linked so that each supports the other.