It's hard to believe but it's been almost six years since California enacted its landmark security breach statute, that led the way to 44 other states to follow suit. Interestingly, though California has always been known as the liberal lion that wags the tail, it appears that Massachusetts and Nevada have turned the statutory landscape on its head by enacting much more stricter, front-end encryption statutes. Will states move in the direction of Nevada and Massachusetts?

Given the current economy and witnessing how residents of those two states are struggling to meet with the statutes' requirements (Massachusetts has postponed enactment and now considering removing or softening several aspects of the law), California's breach notification approach is sure to see the light of day for the foreseeable future. So, now is a good time to revisit California SB 1386.

What does it say? SB 1386 mandates that companies that store unencrypted  electronic information of any California resident notify such persons if their data have been accessed illegally.

Who does it affect? Arguably, every business in the U.S.,because of California's vast economy and the breadth of the Internet's commercial reach. The law applies if you (1) have even one customer or employee in California, (2) work with a company that has employees or customers in California; or (3) simply store data that contains information of a California resident.

What are the consequences? You don't even have to imagine the PR nightmare of having to notify a customer that their data has been breached. This is a regular occurrence that's been played on the nightly news over and over again. In addition to the embarrassment and potential loss of customer trust and business, the statute provides for civil lawsuits and class actions which can cripple even the most solvent companies.

What can you do? You can do a host of things, such as review all your databases, hire consultants to review your current methods to secure your data, employ a compliance officer, develop best practices, and enforce a rigorous program.

What is an easy step to take? The statute only applies to "unencrypted personal information."
As such, you can escape liability simply by encrypting all computerized data, whether coming, going or sitting.