, SecurityFocus 2003-01-06
A new California law requiring companies to notify their customers of computer security breaches applies to any online business that counts Californians as customers, even if the company isn't based in the Golden State.
Expand all |
Post comment
California disclosure law has national reach
2003-01-07
Midridth (1 replies)
Midridth (1 replies)
re: California disclosure law has national reach
2003-01-07
Keydet89 (at) yahoo (dot) com [email concealed] (1 replies)
Keydet89 (at) yahoo (dot) com [email concealed] (1 replies)
First, I think there IS a constitutional question here: the regulation of interstate commerce via electronic means hasn't been decided in Congress to my knowledge. Therefore, one of those aggressive lawyers we all know and love will probably challenge the law soon. It's in all of our best interests that this challenge be registered and heard as soon as possible. California laws seem to lead the country at times, and I think they're batting close to .500 when it comes to national impacts.
Next, the jurisdictional aspects of a law have to be considered. If your company has an office in California, then you're subject to their laws. Period. That applies if one salesman living in California has a home office. In this case, how many companies would be affected? Only your legal department(s) know for sure, and they're pretty busy these days.
Then, how do you know you're doing business electronically in California if all you have is a web site that's available to people via the Internet? If it's designed to put a company presence on the web, but doesn't do anything more than provide information and a 'Contact Us' button for e-mail, does this constitute the kind of presence that would trigger the law? Banking, Insurance, Finance and Consumer-sales companies may take orders over the internet, and that's pretty clear cut. But how about those companies that have employees in California, but don't sell over the internet: if their internal systems are compromised by a 'hack' and 'personally identifiable' employee data is involved, then do they have to comply with this law? And how does this law interact with other legislation that's coming along, such as HIPAA?
There are more - I hope you're thinking of them now.
My personal opinion is that the sponsors and drafters of this law had their hearts in the right place, but may have acted as zealots in their efforts to get a law put in effect. I believe there are too many consequences outside the borders of their jurisdictions for Californians to assert management or control over them without some serious side-effects.
I also noted with a grin that this story's web key includes '1984'. A bit late, but isn't it the same genre?
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/articles/1984/17570#17570