Part 1: Impact of State Privacy Laws on InfoSec

Within California SB1386, one of the greatest concerns for information security and privacy professionals is language that includes liability related to the personally identifiable information of California residents, regardless of where that data is collected and stored.
Tasty Candy Store is a candy manufacturer in Las Vegas, Nevada. It has a special line of high-priced chocolate liqueur truffles that are a popular favorite of visitors to Las Vegas. Tasty Candy owners saw the potential for expanding their sales by creating a Web site, allowing customers to purchase their favorite sweet treats over the Internet. Their predictions were accurate, and soon the Tasty Candy Web site was busy processing orders from customers all over the world. Their customer base includes a large number of California residents.

Two years after Tasty Candy set up their Web site, the site fell victim to hackers who gained access to all of the credit card and demographic data for all of Tasty Candy's 12,000 customers.

Use the study materials and any additional research needed to fill in knowledge gaps. Then discuss the following:

What are the mitigating factors that would work to the benefit of Tasty Candy in meeting the requirements of SB1386 that pertain to information breach reporting related to California residents?

What are responsibilities of Tasty Candy in terms of reporting this breach of data specific to California residents?

Are there other state or federal regulations that would impact how and when Tasty Candy reported this data breach to the general public or to specific segments of their customer base?

Part 2: SB1386 Compliance Evaluation

Information security and privacy professionals are particularly concerned with language in SB1386 that includes liability related to personally identifiable information of California residents, regardless of where that data is collected and stored.

You are asked to speak at an information security conference on the topic of how commercial Web sites doing business with California residents can ensure they are in compliance with SB1386.

Use the study materials and any additional research needed to fill in knowledge gaps. Then discuss the following:

What benefit might an Internet-based company that sells to California residents enjoy by enforcing the standards and criteria of SB1386?

What challenges might an Internet-based company that sells to California residents experience specific to SB1386?

Respond to an audience member who posits that an Internet-based company's risk of running afoul of SB1386 is too small to spend resources trying to mitigate the risk.