California Disclosure Law Has National Reach
from the what-goes-in-California-goes-everywhere dept
Here’s an interesting discussion concerning the new California anti-identity theft legislation that requires companies to admit when there was a security breach. It seems that this California law will impact any business with customers in California – meaning, just about any online business. This could bring up some more internet jurisdiction questions (as if we need some more). The article also points out what they call the “ROT13 loophole”, which basically says that you don’t have disclose a security breach if “encryption” is used – but gives no indication how strong the encryption needs to be. It would be fun to see companies implementing incredibly weak (useless) encryption for their databases, not to satisfy any justifiable business need, but to protect them from having to disclose any security breaches.