Known as the “Right to Know Act of 2013,” AB 1291 was amended this week to boost its chances of success after being introduced in February by state Assembly member Bonnie Lowenthal. If passed, it would require any business that retains customer data to give a copy of that information, including who it has been shared with, for the past year upon request. It applies to companies that are both on – and offline.
The claim is that it doesn’t add data protection requirements, but it does. Here is how:
- You will need mechanisms to securely share the data with customers. This will likely be the same as what healthcare and financial institutions do today (generally email encryption).
- You will need better auditing of who data is shared with.
- Depending on interpretation of the law, you might need better auditing of how it is used internally. Right now this doesn’t seem to be a requirement – I am just paranoid from experience.
What to do?
For now? Nothing. Remember the Compliance Lifecycle. Laws are proposed, then passed, then responsibility is assigned to an enforcement body, then they interpret the law, then they start enforcement, then we play the compensating controls game, then the courts weigh in, and life goes on. Vendors will likely throw AB 1291 into every presentation deck they can find, but there is plenty of time to see how this will play out.
But if this goes through, there will definitely be implications for security practitioners.
Reader interactions
2 Replies to “Proposed California Data Law *Will* Affect Security”
>
Also if your organization deals with European or Canadian privacy law you are probably already doing similar things in this regard.
< If by similar you mean praying to whatever god you believe in that no one ever asks you what data you hold, then I agree! Seriously, though, I work for a UK company that deals in a lot of EU personal information and I am not aware that we have gotten a single data subject request in the 7 years I've been there. And Euro's are a lot more privacy sensitive than Americans are. This CA thing will likely make press and vendors happy but doesn't worry me yet.
Also if your organization deals with European or Canadian privacy law you are probably already doing similar things in this regard.