California Data Encryption Requirements

I think I missed something somewhere. The article Data security efforts are aiming at the wrong target had an interesting surprise.

In fact, California has recently passed legislation to force companies to encrypt certain types of data, such as credit card numbers, Social Security Numbers, etc. However, even encryption on disk is only going to prevent the data from being read if somebody were to steal the hard disk, an unlikely event. A clever hacker with a hijacked user account can still log onto the server and read the data as the file system will decrypt the data as it is read from disk and transfer it in its decoded state.

I knew about the new law, but had not previously paid a lot of attention to its meaning. Hmm, this publication has some useful information. I suppose this could be interpreted as saying that California has required companies to encrypt this data. Here's another document which spells things out a little more completely.

The new California law, section 1798.2 of the Civil Code (the Act), also known as SB 1386, requires public disclosure of security breaches regardless of where the company is located or where the security breach occurs. Starting in July, this first-of-its-kind law requires disclosure of any security breach to each affected resident in California whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.

Here's a link to the chaptered version of the bill as well as the bills history. Or, you can download the PDF version.