Riding The California Privacy Wave

California. It’s where the nation looks for the next hot trend in fashion, business, religion, technology–you name it–that will eventually end up in your state or hometown. The Golden State is where McDonald’s hamburgers began their inexorable march eastward, where smoking was first banned in restaurants, where the original Earth Day was held and where the New Age movement began. These trends altered American culture to such an extent that they gave rise to the maxim, “As California goes, so goes the nation.”

Now get ready for the next California phenomenon with the potential to profoundly affect your lives as CIOs: a wave of privacy legislation aimed at protecting consumers’ personal information. These laws will put a much greater onus on corporations and organizations to manage their data more securely–or face stiff sanctions and lawsuits. The California state legislature has already enacted more than a dozen laws that regulate how businesses, universities and other organizations that collect personal information on California residents must manage private data.

And that’s just the beginning. California legislators are prepared to introduce more privacy bills when the state legislature convenes this month, including, among other things, bills to regulate the use of radio frequency identification (RFID) and how companies outsource data. Even Congress is getting in on the act. It is considering in committee a bill that mirrors the California law about notifying customers when a security breach occurs. And states are beginning to consider privacy bills that restrict outsourcing operations that involve personal information.

“You are going to continue to see more legislation, and particularly more legislation out of California,” warns Peggy Eisenhauer, counsel head of the privacy and information management practice for the Atlanta law firm Hunton & Williams.

Like a large hurricane sweeping in off the Pacific, these laws will wreak havoc on all kinds of business processes, including how websites can collect personal data and the management of databases that store personal information on customers. They will influence how companies share personal data with third parties and restrict their ability to contact consumers via cell phones and faxes. State lawmakers are also considering laws that could affect how your company outsources services that handle personal information. And keep in mind: Any company that sells a product or service to a California resident, even if the company is based outside the state, may be affected. Just having a website that a California resident visits–and one out of 10 Americans lives in California–can put you under the jurisdiction of these laws.

Although there is no record yet of any company being sued over these laws, it’s just a matter of time. “You’re going to see increasing litigation for security breaches, especially when the result is identity theft or financial losses,” says Behnam Dayanim, a privacy attorney with the international law firm of Paul, Hastings, Janofsky & Walker.

So what can CIOs do? You may not be able to divert this threatening tidal wave, but you can be prepared for it. To reduce your company’s vulnerability, educate yourself about the legislation so that you can talk intelligently with your corporate counsel and CEO. And you can insulate yourself from some of the laws altogether by using encryption. You can also adhere to best practices discovered by CIOs who have run afoul of some of these laws and learned from the experience. Such practices include communicating with the public on what information you collect, and following that up with clear, honest answers to questions from customers and the media in the event of an information leak.

And just think: Complying with these laws could actually end up being good for your business. Frank Giannantonio, senior vice president and CIO for Lands’ End, believes this has occurred at his company. “These laws are not constraining our ability to do business,” he says. “It’s to the benefit of our customers.”

Privacy and Paranoia in the Golden State

What are the forces that have led California to drive such a large legislative stake in the privacy ground? The answer: Californians worry about rising rates of identity theft and fraud, and they fear that corporations will use their personal information to inundate them with marketing campaigns.

Sen. Debra Bowen (D-Calif.), author and sponsor of many of the state’s privacy laws, notes that an estimated 10 million Americans experienced some sort of identity theft within the past year, leading to credit card and bank fraud. In a recent report, the Aberdeen Group concluded that by 2005, identity theft losses could reach $2 trillion worldwide. The rise in identity theft has made consumers increasingly skeptical of corporate efforts to collect personal data. In fact, many Americans believe strengthening privacy safeguards should be the government’s number-one priority, according to a study conducted this year by the market research firm Yankelovich.

California’s state legislature has responded to the heightened public concern by passing a flood of legislation in the past two years. The first law, SB 168, was a Bowen-sponsored bill that took effect in 2002, preventing businesses from using California residents’ Social Security numbers as unique identifiers, in the hope that those numbers would be harder for criminals to obtain. The law also gives California residents the right to block access to their credit reports. “SB 168 really put privacy and identity theft on the map for a lot of people,” Bowen says.

Businesses resisted SB 168 at first because of the costs associated in changing identifiers in corporate networks, but the law is now beginning to be adopted nationwide. The law pushed IBM last year to require its more than 100 health insurance providers to stop printing Social Security numbers on medical ID cards, claims forms and other documents or risk losing Big Blue’s business. The change affected more than 540,000 IBM retirees, employees and their families in the United States.

The legislature has since passed laws that affect many other technologies and industries. Even California Republicans, previously unsupportive of privacy measures, have jumped onto the bandwagon: A Republican-authored bill was signed into law in September, requiring companies to remove the Social Security number from pay stubs.

On the advice of his CIO, California Gov. Arnold Schwarzenegger recently vetoed a bill that would have made it illegal to outsource Californians’ personal medical information to companies based in other countries without first obtaining permission from the individuals. The governor also vetoed a bill that would have required employers to notify California employees before reviewing their e-mail, monitoring their Internet surfing, or tracking their whereabouts using techniques such as GPS in company cell phones and cars. But those bills, and others like them, are expected to be reintroduced this month.

“These laws are just the beginning,” says Mark Durham, communications director for Identity Theft 911, which provides consulting services. “You think Y2K was big. This is bigger.”

Time to Rethink Your Privacy Policies

Many CIOs whose companies do business in California may think they are in compliance with some of these laws. But they would be wrong. For example, executives may assume they are in compliance with the law requiring a privacy notice on their corporate website that states clearly what personal information is being gathered on browsers. However, as many as 80 percent of the privacy policies at corporate sites are out of compliance, according to the Ponemon Institute, which conducted a survey of up to 500 randomly selected websites. Half of these noncompliers violate the law in a trivial way; for example, the site links to an outside domain and the policy does not inform the user, says Larry Ponemon, founder of the Ponemon Institute and a privacy expert. However, the other half is out of compliance in ways that could get the company in trouble. For example, some sites use Web beacons, or pixel tags, to identify visitors’ IP addresses without obtaining consent. Other sites use cookies stored on browsers’ hard drives to identify them without disclosing that fact in the privacy policy.

Keep in mind that these laws can affect companies even when there is no evidence of identity theft. For instance, when the computer network at San Diego State University was hacked earlier this year, there was no evidence that the information on the server had been compromised or stolen. (The hackers were using the server’s large storage capacity to store MP3 music files and later launched e-mail spam from the server.) However, the first initials, last names and Social Security numbers of nearly 207,000 students and financial aid applicants (many of whom did not attend the university) were in a database on the server. To comply with a state statute, university officials had to quickly notify all 207,000 people that their Social Security numbers may have been stolen. The price tag: $200,000. And that doesn’t include the cost in terms of bad PR.

As of August, the university’s IT department received over 1,500 calls in response to the notifications, many of them from angry students and faculty members. “A lot of people yelled how incompetent I was,” says Felecia Vlahos, the university’s information security officer, who answered some of the calls herself. Even so, she remains a fan of the law. “The California law brought about exactly what it was supposed to bring about: protecting people’s identity,” she says.

A Compliance Nightmare

CIOs from the financial industry are even more worried about another law (SB 1) that requires financial institutions to obtain permission from their customers if they share customers’ personal data with a nonaffiliated company, such as a contractor or an IT provider. The law, which went into effect in July, is a “compliance nightmare,” says Stephen Wu, founder and CEO of the InfoSec Law Group in Mountain View, Calif. For example, if a financial institution shares a customer’s personal data with a third party, it must follow strict and detailed rules, including instructions on margin width (“wide margins, ample line spacing and uses boldface or italics for keywords”), font size (“no text in the form is smaller than 10-point type”), number of words per sentence (“an average of 15 to 20 words”), even what needs to be on the envelope (“clearly state in 16-point boldface type “IMPORTANT PRIVACY CHOICES'”). “This is where California has gone overboard with unrealistically burdensome financial regulations,” attorney Dayanim says.

The financial industry is hoping the courts will view it the same way and rule that a less stringent federal law trumps SB 1. This year, several trade associations, including the American Bankers Association and the Consumer Bankers Association, sued the state of California over SB 1, arguing that the federal Fair and Accurate Credit Transaction Act (FACT) preempted SB 1. But the district court ruled FACT only pertained to consumer report information. The associations have appealed to the United States Courts for the 9th Circuit. A decision could be made early next year.

To Notify or Not: That Is the Question

So what to do? In the political arena, corporations can lobby Congress to pass legislation that nullifies extreme state laws. But given public concerns about privacy, CIOs should prepare now to insulate themselves and their companies. First, assemble a senior-level team, which would include first and foremost the company’s general counsel, CEO and CFO. Other senior-level executives could be included as well, such as the head of HR, the COO and the marketing director. “If I were talking to CIOs, I would tell them that their best friend has to be the corporation’s general counsel,” advises Eisenhauer. “The general counsel must stand behind you to get the proper funds to secure these systems. They can tell the CEO just what is at stake.”

That’s the approach that Giannantonio of Lands’ End used at his firm. A team of top executives regularly meets to discuss security and privacy issues. In late August, the team–which includes Giannantonio and nine other top executives–met to discuss business practices. The California law requiring businesses to notify customers of any information-sharing arrangements with third parties was one of the topics of conversation. The team decided to explore various compliance options such as a dedicated e-mail address to deal with inquiries from California customers and adding a webpage that offers information on how the retailer shares data with third parties.

CIOs can take other steps as well. For instance, according to one California law, companies are not required to notify customers in the event of a security breach if customers’ personal data is encrypted. Even the weakest encryption seems to cover you. But watch out. If you are sued for not notifying customers when a breach occurs, a jury or a judge could rule that the encryption was so absurdly weak that in essence the company had no encryption.

Privacy experts recommend segregating data that pertains to California residents. That way, CIOs can focus on that data and avoid having to explain why they are not notifying non-California residents. Lands’ End is doing that, but with a twist. All credit card information is stored in one file, and customer names and addresses are stored in another file–and all of it is in the process of being encrypted. If a breach occurred, it would be impossible for a hacker to link specific names to credit card numbers. The law requires a company to notify customers only if the compromised data includes a name linked to a driver’s license, credit card or Social Security number.

If a security breach does occur, and you fall under the disclosure law’s purview, there are some best practices you can follow. First, privacy lawyers say, don’t rush out immediately to inform customers when a database has suffered a breach. Although the law requires an ambiguously termed “reasonable time” to inform the public, you should first determine if any data was actually stolen before going to the CEO. If you find beyond a reasonable doubt that no data was stolen, you do not have to inform customers. This avoids unwarranted alarm and the possibility of creating “warning fatigue”–in others words, customers not taking your notices seriously. Publicizing security breaches does have a downside. According to Ponemon, about 40 percent of customers say they would leave a company if one security breach occurs. With a second breach, that jumps to 70 percent, and a third breach could cost a company 90 percent of its customers.

The most common choice among corporations that have discovered a breach is to do nothingnot a wise move. Dayanim says that inaction may keep the breach a secret, but it opens the company to a lawsuit if the breach is later discovered. And companies may be sued anyway if damages occur. “It’s a ‘rock and a hard place’ scenario,” Dayanim says.

CIOs may want to follow San Diego State University’s course of action. Even though the hackers probably didn’t steal Social Security numbers stored on the server, school administrators decided it would be best to alert affected students and faculty. When you do notify customers, being straightforward and honest with them is the best policy, says Vlahos. Set up a website with information about the breach, what to do and whom to call for more information, and then make sure you have knowledgeable people available to answer customer questions.

This last point was particularly important for David Ernst, CIO for the California State University (CSU) system. In June, CSU technicians lost a hard drive that had 23,500 student and faculty names on it that were associated with Social Security numbers. Ernst’s staff decided that the hard drive, left in the office overnight, most likely was thrown out by the cleaning crew. Nevertheless, Ernst believed it was in the school’s best interest to notify the people whose names and Social Security numbers were on the hard drive. The most helpful step–and “the biggest burden”–Ernst says, was having a person available to take calls, even though the law does not require it.

“This sends a positive message that the institution cares and is trying to do all it can to respond to the event,” Ernst says. “Most of those who called were appreciative that we provided this option.”