Gartner Research Warns Over New Californian Data Privacy Law

by Glen Shapiro, LawAndTax-News.com, New York

10 July 2003

Following the introduction of new data privacy laws in California on July 1, requiring companies, government bodies, and other organisations to inform customers if their personal information has been stolen or viewed by any unauthorised person, information technology research firm, Gartner Research has warned that simply employing encryption technology may not be enough.

The new law does not provide for penalties to be imposed on organisations which fail to adequately protect their customers' data, but does allow California residents to sue for the unauthorised viewing, and/or potential loss of their personal information.

However, the research firm revealed that:

'From discussions with clients, Gartner believes that there is a common misunderstanding that merely encrypting data will exempt organisations from the law. This is not so. Encryption of data 'at rest' suffers from key management problems that limit its effectiveness, is often expensive and only offers protection from a narrow range of attacks.'

'Following good security practices is [a] far more comprehensive solution. If customer data is released or accessed in any unencrypted format - such as through an application vulnerability or perhaps via a paper record secondary to an electronic breach - the enterprise remains liable under the law.'

The Gartner 'First Take' report concluded by recommending that instead of merely encrypting data, enterprises dealing with Californian customers should examine their data security systems thoroughly, eliminate unnecessary data, and formalize breach notification procedures in line with the new state law.

Recommended