California Security Breach Information Act 1386 (SB 1386) is codified in Section 1798.29 of the Civil Code. The language is convoluted.
1798.29. (a) Any agency that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [emphasis is mine.]
Tell me how you interpret this section. One of the terms of disclosure appears to be that an agency is required to disclose a breach following notification of a breach, yes? Well, that seems to have been ChoicePoint’s way out of early action on this matter.
SearchCIO.com has a shorthand guide to compliance with this law.
Privacydigest links to articles on the irony of ChoicePoint’s failure to do its own due diligence. Q Daily News debunks the notion the ChoicePoint is a victim, that the site was not hacked. The Washington Post has a background piece on the company.
Mark Rasch was interviewed in Bank Systems and Technology and pointed out the sloppiness in ChoicePoint’s information management: “[The criminals] were literally going through tens of thousands of background checks. That should have been a trigger that they weren’t just doing a background check – they were generating a database of personal information.”[Thanks to Roy Wilkinson for directing me toward searchCIO.]