Companies are unprepared for California data privacy law

Companies doing business in California have a compelling reason to bolster their data security. A tough new state law that goes into effect July 1 will require companies that maintain data on California residents to inform individuals of any security breaches that result in their personal information being stolen.

Apart from those in the financial services and health care sectors, few companies appear to be aware of the pending rules, according to some legal experts. That could be dangerous, since failure to comply with the statute's requirements could expose companies to potentially costly lawsuits, legal experts warned.

"The law is a sleeper that has not received much national attention," said Christopher Wolf, a partner in the Washington office of Proskauer Rose LLP.

California SB 1386 was signed into law last year and is being used as a model for a similar federal identity-theft-related bill. Both laws aim to force companies to proactively identify security breaches that could result in identity theft -- something that companies have traditionally been unwilling to do.

"[California's] law does more through implication rather than direct language," said Michael Overly, a partner at Foley & Lardner, a Los Angeles law firm.
The law doesn't spell out the administrative or technical actions that companies might need to take to be in compliance. But the implication is that companies need mechanisms for detecting, monitoring and responding to breaches that might compromise personal data.